Pretty sure that once upon a time one or more 3 letter agencies asked Torvalds to install a backdoor for them and he told them to shove it.

Plus the code is open source, if there was a backdoor someone would notice it eventually.

There is no way to definitively say that Ubuntu is “backdoored”. Your post is written like bait but I will explore the concept.

Operating systems like Windows and OSX are one big proprietary mess. These systems you have no idea what they are doing. They do things without even telling you.

Ubuntu is a system built on Free (as in freedom) open source software (FOSS). It is made up of over 1000 software packages. Some of the packages are FOSS, a few of the packages are proprietary. The packages are precompiled binaries based on FOSS code. You do not have to install the proprietary packages.

The proprietary packages which are included in Ubuntu by default are wifi drivers, graphics drivers, cpu firmware. Is it possible that a backdoor is hidden in the wifi driver? Maybe but you don’t have to install those drivers. You could use a FOSS wifi device or simply not use wifi.

So if we have the Ubuntu system and we don’t install the proprietary blobs/drivers. How do we know that the compiled software packages matches the FOSS source code? Well for one, it is illegal under most circumstances to share binaries compiled from FOSS source code without providing the full source code used to compile the software binaries. The GNU project and Free Software Foundation are willing to do litigation against software which violates FOSS licenses.

Let’s assume that the Linux Distro is disregarding the law. There is a software project called Reproducible Builds, which means that if you compile source code on 2 different machines, you will get the same binary files. While distros like Arch and Debian (and not Ubuntu) are members of the Reproducible Builds project, the project is still incomplete and many packages are not compliant.

So let’s say that you don’t trust the Distro developer to compile binaries for you. You can choose to use a GNU/Linux distros such as Gentoo where all of the FOSS packages are in the form of source code and you have to compile them for yourself.

What about non-hidden “backdoors”? Over 10 years ago, Ubuntu introduced a feature which searched Amazon for “products you might be interested in” when you typed into the Unity search bar to search your computer. This feature was removed after community backlash.

What about unintentional vulnerabilities or exploits hidden within the source code? Obfuscated code is not accepted but even then some things have slipped by. In February 2024, a backdoor was added to the XZ Utils, which potentially added a secret key for the attacker to access some systems remotely through OpenSSH. The exploit was discovered and removed in March 2024. The exploit was luckily discovered before it reached most people. I believe most Ubuntu users were not affected by this exploit unless they were using a “testing” version of Ubuntu. Rolling release distros such as Arch Linux were the most affected. For this reason, it is better to use a stable release distro like Debian, which only adds new software features every 2 years.

In 2021, two researchers at the University of Minnesota submitted intentionally buggy code to the Linux Kernel project as part of an experiment to introduce vulnerabilities into Open Source software. 15 days later, the Linux Kernel project banned the entire University of Minnesota from contributing to the Linux Kernel development.

Is it possible that Ubuntu has a backdoor? Maybe, but it is very less likely to have a backdoor than Window or OSX.

Nearly every computer built after 2008 or so is possibly backdoored on a hardware level due to the Intel Management Engine (and its AMD equivalent). But unless you’re committing computer crimes that could arouse interest from the FBI, you’re better off worrying about your password and email security than obscure and unproven methods of exploitation in my opinion.

Of course not.

I mean you get updates from your distro. So in that sense every distro is equally backdoored. If some agents or criminals can get at the infrastructure & signing keys (or the people responsible for those), they could distribute backdoors through the update mechanism. I don’t recall this exact thing ever happening, but, for example, someone hacked Mint’s website some years ago and replaced to ISOs with backdoored ones.

Also, there are what’s called remote code execution (RCE) vulnerabilities, those are found regularly in all kinds of software, but those look like (and most likely almost always are) honest mistakes. Anyone with the right know-how can exploit such an RCE in a vulnerable system. We do know that government agencies pay people to find RCEs, or buy them on the black market, and then keep them secret as a potential offensive cyber weapon to break into systems.

Mint is community ran and rips all the sus stuff out of Ubuntu and regularly rails Ubuntus company for privacy issues. Popos is ran by a company that sells computers with the os on it but they regularly adopt similar measures as mint and havent done anything sketch yet. You can check your network connections for processes using the internet and searching each one and what they do. I used mint for a decade and havent found anything sus. Same with arch, Debian and fedora.

For most new to linux security conscious gamers / nerds I usually suggest Bazzite (fedora edited similar to Windows in that core system files cannot change), Nobara (Fedora with custom config) , Pop OS (ubuntu with a mac style preset) and Mint (Ubuntu base and distro with largest community, decent at everything and problems usually have easy solutions).

Debian is for being a FOSS extremist on old hardware.

For being a weird coder that wants to develop on Linux and tweak things a lot I suggest Arch, Manjaro, or Cachyos (gamer oriented coding).

If you’re a privacy extremist you should stop using the internet and if you do need it use it only for mandatory tasks on oses such as Tails or Qubes, to reiterate these OSes are not good for daily driving as an avid PC user, they are an accessory to your normal activities and give you the highest degree of security, put it on an old laptop or something and unplug yourself by getting a dumbphone and hook it into a calyx hotspot and do a voip setup with a virtual number.

IF Ubuntu was actually backdoor-ed, then probably everyone is fucked no matter what.

But Debian/Arch is less likely to be.

Where’s the backdoor?

Long answer:

This is just sensationalist security theater that’s been popular lately on social networking sites where the end result is to peddle their own programs as “safer”. Yes, every program written can have a backdoor/hidden but known vulnerability. Instead of focusing on things that can or cannot be proven, there are much better ways to think about computer safety, which is ultimately about trust.

All proprietary programs (programs which you cannot control or take responsibility of) are inherently untrustworthy. You are in an unequal relationship with the program’s author(s) and this can lead to many abuses being committed (i.e. not all proprietary programs are malicious, but all proprietary programs are capable of being malicious in a way that non-proprietary software cannot).

Operating systems are a collection of hardware, software, and communities. Currently, there is no commercially available hardware that is completely within your control whether that be through non-auditable firmware blobs, soldered components, hardware exclusion lists (change one component and the computer refuses to boot or the “Windows is not supported on your device” scheme, etc). There is an extensive canon of free programs, from the kernel level all the way to the desktop. There are also strong communities that pursue different interests. These are all more tangible aspects to think about that do more benefit than being fearful of the unknown.

Microsoft Windows is a operating system that runs on closed-down hardware, gives no autonomy to its users in terms of the programs they run, and is hoarded by capitalists. When using Windows, your ability to negotiate control is severely limited, and even then, not everyone has the means to circumvent this control. Thus Windows and by extension Microsoft are able to abuse their position of power.

Ubuntu is far from this model but it’s not perfect. You can decide whether you’re willing to trust Ubuntu and whether to leave Ubuntu if you feel you have been mistreated because with Ubuntu: you have more choice in the matter.

Short Answer

I don’t personally trust running Ubuntu as a desktop OS anymore after they moved their app distribution to snap, whose server backend is proprietary the last time I checked. Ubuntu uses largely the same software that other distributions like Fedora and Arch or Debian do. I trust those distributions more, so I’ll use them, because at the end of the day 95% of “Linux distros” use the same collection of programs, maybe that’s an issue in of itself that should be discussed more, but please don’t worry about “the backdoor” anymore.

I like Void linux quite a lot. No systemd to worry about.

But tbh there is never a guarantee that a clever backdoor doesn’t exist or hasn’t been found and not disclosed in any code. You don’t have to necessarily code one in overtly so much as write some sloppy code that passes the smell test as being useful and not obviously malicious. Some major CVEs get discovered in very important and widespread software every year and who is to say whether the person who discloses them was the first to find them or whether they were intentionally crafted. 0dayz can be sold to the intelligence agencies via their contractor corporations for big money.

Where did you get the information that Ubuntu is backdoored?

Ubuntu isn’t necessarily backdoored, but they have made some questionable decisions that violate people’s privacy and ability to audit them. Specifically, years ago they added a “feature” which was on by default where your system search would also query amazon at the same time. Which was shitty and anti privacy obviously, so they took it out after community pushback. An ongoing problem though is with their own packaging format, snaps. The client side snap software is open source, but it only interacts with the official canonical snap repository which is entirely closed source on the backend. This opens up the possibility of back doors in snap and snap applications, as well as invasive analytics and other spying. Mint doesn’t include any of this shit so id say its safe and clean