I mean you get updates from your distro. So in that sense every distro is equally backdoored. If some agents or criminals can get at the infrastructure & signing keys (or the people responsible for those), they could distribute backdoors through the update mechanism. I don’t recall this exact thing ever happening, but, for example, someone hacked Mint’s website some years ago and replaced to ISOs with backdoored ones.
Also, there are what’s called remote code execution (RCE) vulnerabilities, those are found regularly in all kinds of software, but those look like (and most likely almost always are) honest mistakes. Anyone with the right know-how can exploit such an RCE in a vulnerable system. We do know that government agencies pay people to find RCEs, or buy them on the black market, and then keep them secret as a potential offensive cyber weapon to break into systems.
I mean you get updates from your distro. So in that sense every distro is equally backdoored. If some agents or criminals can get at the infrastructure & signing keys (or the people responsible for those), they could distribute backdoors through the update mechanism. I don’t recall this exact thing ever happening, but, for example, someone hacked Mint’s website some years ago and replaced to ISOs with backdoored ones.
Also, there are what’s called remote code execution (RCE) vulnerabilities, those are found regularly in all kinds of software, but those look like (and most likely almost always are) honest mistakes. Anyone with the right know-how can exploit such an RCE in a vulnerable system. We do know that government agencies pay people to find RCEs, or buy them on the black market, and then keep them secret as a potential offensive cyber weapon to break into systems.