The thing about the ssh hole is that alot of people jailbroke their phones without understanding what the process did. Anyway that knowingly installs ssh usually will realize to change your password (or disable password authentication) and use keys. I believe that's more dangerous then an inherently open system (as long as people are willing to learn.. that seems to be the issue these days).

Linux is already defending itself well, as the arguably dominant operating system behind web servers (and that is more or less true for the entire history of the Internet).

"Forty percent of servers run Windows, 60 percent run Linux," he said. "How are we doing? Forty is less than 60, so I don't like it. ... We have some work to do."

–Steve Ballmer, Microsoft CEO (September 2008)
http://www.pcworld.com/businesscente...to_google.html

Anti Virus software nowadays rather deals with all kind of malware such as spyware and trojan horses. Such tools (both pro and anti) also available for *NIX. The problem is that 1) people misconfigure software 2) install software from dubious sources 3) software is left unpatched.

Problem #1 example: SSH server on iPhone. We can deal with by proofreading our documentation. That is, we proofread our own and each others' information. Our posts on t.m.o, wiki, mailing list, and so on. Already happens btw, but there is no data available how severe this problem is in Maemo community.

Problem #2 example: are many, but cannot think of one. Is harder to deal with because its the user's fault. However because we have signed packages, and because those who upload packages use their real name, the problem is less severe. Because of open source software widely available we don't depend on closed software or warez. More advanced security layers like capability-based security and DRM probably increase quality of this in Maemo 6.

Problem #3 example: Adobe Flash, Gecko. Is less severe when one runs popular open source software although the less popular flies under the radar anyway. A) If this platform is to survive it needs support for the software, and that means bugs in for example Gecko must be patched ASAP by upstream. That means Nokia. In the past they neglected this, but I believe now they will deal with this correct. B) In case of community-based software, like for example OpenSSH, you're entirely dependent on the package maintainer and their upstream provider and this is one of the reasons Nokia provides no warranty on this software. If there is a market for such a third party could provide a software repository for Maemo for a fee, with support contract corporate users (SLA, blah, enterprise). More likely, is that corporations will deal with this in-house/internally. While one is right to describe this as a risk, question is whether commercial support for proprietary applications is better than community support for open source applications. I don't believe either one is better, it just depends very much on involved factors.

Or Debian's OpenSSH key debacle. In both cases it was due to package maintainer's fault instead of upstream. Because when installing the software, the system should by default protect the user and only at their explicit authentication do something Very Stupid (like enable a user account with default username/password; pathetic this still happens TBH!). If the method user uses to do this something Very Stupid is one of the normal pathways it'll warn. Like for example, the user installs the SSH server package. But if the user takes different paths, say compiles and installs their own SSH server or plays with /etc/pam.* then that is their responsibility. The difference between Maemo and Symbian, is that Symbian would only allow signed binaries, and that these binaries have several capabilities defined which a user is reasonably able to understand. Linux, and *BSD, can provide something akin to this but the OSes were not designed from the ground with this design in mind. We have some Brainstorms related to this issue btw, and Nokia has some plans too for Maemo 6. See wiki page Maemo Security.