Ok, then. Let’s look at each one:
- Technically possible, i.e., does the current or future state of human technological progress allow for its implementation?
Yes, of course. There are many documented cases of backdoored software in the history of computing.
Just like almost any OS, there is nothing about the nature of software or computation that would prevent the insertion of a backdoor into Qubes OS. It’s just a matter of adding the code.
So, this technical question is somewhat trivial and probably not what you care about. Instead, you probably care more about questions like these:
- How likely it is that such a backdoor would be added? For example, how would it get inserted? Considering our extremely rigorous process of code security review and code signing checks compared to the vast majority of other software projects, it seems unlikely that a contributor would be able to slip one in, and (as explained below), I think it’s also exceedingly unlikely that a core developer would try to slip one in.
- How likely is it that such a backdoor would go unnoticed? For example, if it gets noticed before it ever makes it into a release, then it never affects any users. This depends, among other things, on how many eyes are on the code (more on this below).
- Epistemically possible, i.e., is it already happening, and we just don’t know it?
It depends on your epistemic position. Speaking only for myself, I would say the odds are very low, but of course nothing’s impossible. I have a semi-insider’s view (i.e., I’m privy to more of the internal operations than the general public, but there are still many things to which I’m not privy). From this point of view, I have seen zero indication that anyone on the team wants to or is being pressured to do anything like this. (Of course, it’s always possible that I’m the target of an elaborate deception and that I’m intentionally being fed disinformation or something, but I haven’t noticed any signs of anything like that so far.)
The fact that the code is completely open-source helps here, and it will help even more once ISOs are built reproducibly. This will allow people who scrutinize the source code to build an ISO from the source code they’ve scrutinized and confirm that it’s bitwise identical to the ISO distributed by the core devs. That means the rest of us who lack the skill to understand the source code can benefit from their scrutiny. On the other hand, none of this matters if no one outside of the project looks at the source code, which is why we all very much want a lot of eyes on the code. (As a user, I want this for the security benefits, and as a representative of the project, I want this to bolster the evidence of our trustworthiness.)
- Likely, i.e., how high is the likelihood that the Qubes OS Project or the team behind it will do one or more of these things?
IMO, extremely low, for the reasons already given above, but again, not impossible. From what I know of the Qubes devs, none of them would ever want to do anything like this. They are nice, normal folks with good motives. However, we can’t rule out the possibility of exogenous forces like court orders, government agency operations, bribery, coercion, etc. I think most (if not all) of us on the team just want to lead quiet, peaceful lives while working on things we find important and interesting, and we sincerely hope the things I just listed stay far away from this project and the people involved in it. We have canaries, which provide some degree of assurance against certain kinds of exogenous interference into the project, but they’re not infallible. The more extreme the scenario you imagine, the less likely canaries or any other measure will be sufficient to guard against it. When thinking about these matters, I think it’s useful to consider several questions:
- Many bad things could happen, but what would the motivation be for the people doing them? What would the costs be, and how would they justify those costs (including opportunity costs)? What risks would they be taking, and what would they stand to gain?
- If you’re worried about some specific type of extreme negative scenario with respect to this project, how does it compare to other projects or companies? Could it also happen at other places? Is the likelihood higher or lower at the other places? Why?