Debian Bug Leaves Private SSL/SSH Keys Guessable
But the point here is that the freedom that OSS gives you does require you to trust the whole distribution chain. In this case there was an added muppet who did something they shouldn't have thus rendering everything downstream insecure. OSS is great but it required great developers, given that it has take well over a year to get the advisory out it shows that the many eyes piece didn't work here, mainly because the eyes were looking at the original source not the botched packaging job. This is actually the number one reason I use slackware. Every package gets built by one guy. And if anything, it's easy to trust one guy. And he happens to be the one with the most experience at making packages. Not only that, his philosophy is to provide pristine packages from its source as far as possible. No worries of changes to these packages except critical bug fixes, and these are usually the kind that go upstream anyway.
Frankly, I'm not surprised that this occurred in Debian. I have seen how they package before. Usually that have the original source and one giant make-package-debian-centric diff file that would be insanely hard to audit -- correct me if I'm wrong -- at least for anyone outside debian or did not build the package in the first place.