I guess it comes down to does FreeBSD have a lower attack vector than other os.
It doesn't, but this isn't a one-dimensional thing ... it certainly has a different one. And it's less "attractive" for such attacks because of deployment numbers...
Does FreeBSD differs in terms of way it gets new/update on software.
For the base system, certainly. Third party software used there is tightly integrated (which among other things also means integration into the single BSD-make build system). This would already have rendered that specific attack disfunctional, the backdoor stuff was pulled in leveraging the GNU-autotools build system. It doesn't mean backdoors coming from third party upstreams were entirely impossible, but you certainly can't use some upstream build system for that and hiding will certainly be harder as well, as some code will certainly be read for integration with FreeBSD base.
For ports: No, not in general. Every package building system for some distribution of opensource software works differently, but they all at some point fetch source from upstream projects, compile and package that. Thinking about auditing all this upstream code is completely unrealistic. There are differences in details of course. Some package build systems declare it "best practice" to always obtain upstream code directly from source (mostly git) repositories. Again, this would have prevented
this specific attack (the hook into the build system was in some GNU autotools generated file that's of course not present in the repo), but then, you can come up with other ideas as well. I've already seen discussions claiming one should never build packages from upstream-provided source tarballs. I think that's pretty much nonsense, if you can't trust the distfiles provided by some upstream project, how can you trust other stuff in their repo... In FreeBSD ports, the opposite is best practice: Always use upstream distfiles when they exist and are usable, only fall back to obtaining code from source repositories when you have to. This is just more efficient (often preventing huge build dependencies) and also more robust (you have an actual file with some initially generated sha265 hash, if THAT ever changes you know you have to take a VERY close look at the diffs).
In the end, all software distributions (like FreeBSD ports) can do is distribute software. If you can't trust upstream projects, you'll have a problem.
github.com
