Hi Jean -- There are (at least) 3 counterarguments to the concern that Debian maintainers could maliciously add dangerous commands to their {pre,post}{inst,rm} scripts: -- the same package system which is open to many for development is equally open to many for testing. -- by having both "stable" and "unstable" releases, Debian distinguishes between packages which are [likely to have been] tested and those which are not. -- as the saying goes, "Never interpret as malicious that which could also be explained by stupidity." Humans at commercial software firms are no more protected from their own stupidity than humans who are working to provide free software, _and_ who are offering the world the opportunity to scrutinize their source code.
Another way to pose the question is, what would motivate a developer to include mailicious software? He could be pretty sure that the offending code would be found quickly, and he would be identified (via PGP keys) with the problem. The perpetrator would be immediately banned from using the system. And all he got for his trouble was to inconvenience one or a few unknown, randomly selected, victims. Not a very good tradeoff. All the same questions being asked of free software should be asked, of course, of the commercial software... HTH, Susan Kleinmann