A just-received email had some interesting info, among which is this
"joke" representation of Debian's Random Number Generator (RNG) as
would be used for SSL and other supposedly secure connections:

int getRandomNumber()
{
return 4; // chosen by fair dice roll and guaranteed random :-)
}

More info here:

<http://www.debian.org/security/2008/dsa-1571>

Also in the email:

" Have you ever added a repository to your distribution? Have you
" ever installed a Linux package that has not been signed? Do you
" trust each and every package developer? (who can update ANY package
" in the tree).
" Did anyone who signed a package have a Debian distro and did it
" between September 2006 and May 13th, 2008? (and had the predictable
" RNG).

May 13, 2008, is the date of the above Debian Security Advisory.

Also cited are these reports and studies of package manager security
(or lack thereof).

<ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf>
and
<staff.science.uva.nl/.../report.pdf>