Why do you trust Debian? (I say this as a happy Debian user/sysadmin/occasional package maintainer).
In particular, it's a volunteer-run organization in which it's not unusual at all to volunteer to maintain a package as part of your day job that uses a package, and where a large amount of discretion is given to the individual package maintainer, until they choose to hand maintenance to someone else. This is perfect for an organization who wants to push security configuration weaknesses. Even if you can't get a back door in, you can certainly default to code that you have privately found vulnerabilities in, or compile with or without certain options, add third-party patches that are pretty questionable, or add CAs that are particularly easy to coerce. None of these actions look weird at all, they just look like someone who is putting work into their package and caring about doing Debian-specific work to make it work well. In particular, until relatively recently, the Debian ca-certificates package included the CAcert root cert, which was in very few other root stores, and the SPI one, which was in no other stores.
It's also the case that Debian accepts binary packages built on the developer's personal machine (and this used to be required until very recently), so it's very easy to straight-up upload a backdoor that isn't in the source. (This might have changed recently, but I believe this was true at least as recently as the last stable release.)
I trust people doing it largely for themselves and the community reputation _more_ than I trust people who are expected to deliver more returns every year in a stagnating market.
But you don't know if someone is doing it for themselves and community reputation, or if they're a fake persona created by someone who wants to break into servers. All it takes is one stereotypically-stubborn open source maintainer who gets grumpy about switching old reliable cryptographic defaults for kids-these-days defaults - which is a thing that real-world stubborn open source maintainers, on whom the stereotypes are based, do: https://sourceware.org/bugzilla/show_bug.cgi?id=13286
Do you know if the version of OpenSSL in your Debian has any patches to its cipher suite selection algorithm, compared to upstream? (Genuine question; I haven't checked.) If it did, and you saw someone being grumpy on a Debian bug and refusing to remove the patch, would you suspect that they were actually evil? Or just grumpy?
Remember, also, that Debian is the distro that patched their OpenSSL to ludicrously weaken the random-number generator, and the Snowden leaks confirmed that the NSA backdoored a random-number algorithm. I am not at all saying that the NSA was behind the patch (it looked genuinely like an oversight), but if the NSA wanted to be behind a similar patch, no one would think it abnormal.
That's totally fair, but I hope that each of those organizations has a vested interest of exposing each other; at the very least it's in the NSA's charter to protect American businesses against attacks, I have no idea if they feel this is an effective way though. So yes, it's risky.
But Microsoft has all those disadvantages too, even though it's harder to get moles inside it's easier to have their stuff undetected (and in the case of the NSA it might even be done with full cooperation). Plus, the market share makes them a bigger target.
Outside probably hypotheticals, what we know for certain is that microsoft is attempting to monetize their new windows on the back of user's data.
While I mentioned the NSA, really the bigger threat is a guy (or hacker group) who wants to pull off a million dollar heist. The NSA can get into (practically) anything and everything.
To get a job at MS, you have to have a real life reputation. Once you get in, there will be others analyzing your code, and your bug may not make it to release.
To insert a bug into Debian, become a packager and you're done. Access to one of the most popular server (the important stuff is here) OSs (Debian, Ubuntu) on the web.
You're busted? Create another account and start over.
If the NSA were trying to protect American businesses against attacks, they would responsibly disclose vulnerabilities they discover. But for me most part they hoard them.
Debian had some fairly dubious CAs included for almost 10 years, so they're not without fault. Looks like they've cleaned up - and at least their processes are fairly transparent.
Another nice thing about Debian's certificate package is that debconf will prompt you to accept each new certificate if you have debconf set to show low priority questions. I have not seen anything similar in other distributions or OSX.
Most notably for me, the list doesn't show any of the foreign roots, Agencia Notarial de Certificación, Autoridad Certificadora Raíz Nacional de Uruguay, etc. Are they kept anywhere else?
EDIT: According to the author, Manage Computer Certificates will only show you that a trusted root exists after you've used it. Trusted roots that you've never used are invisible: http://hexatomium.github.io/2015/08/29/why-is-windows/
The test he provides still works: "OpenTrust Root CA G3" won't show up in Manage Computer Certificates until you visit https://www.opentrust.com/
So, Manage Computer Certificates is useless for untrusting roots Microsoft trusts for you.
One additional note, most applications in Windows by proxy follow this OS level list of trusted certificates. Notable exceptions are Java and Firefox which maintain their own CA repositories in their installations.
This is the reason I hate JVM from sysadmin/devops perspective. It tries to manage things that should be left to OS (CAs, fonts, time, etc.). It's not too big of a problem for end user applications with package manager maintained JVM, but if you want to use JVM for any kind of daemon (application server, database, messaging system) your sysadmin has to become jvmadmin too.
It would not be such a bad thing if you really, really wanted to manage system per application if there was "fallback to OS" option. But then again moderately sized applications have been run in their own virtual machines for quite some time and these days containers are pretty prevalent solution for self containing even small applications.
On OS X, open the app Keychain Access and look at the System Roots keychain -- you can see all the root certs there.
For Windows: Have never done this myself, but the link mentions a tool called RCC that lists root certs and highlights potentially suspect ones I guess? No clue if this is legit, use at own risk: https://www.wilderssecurity.com/threads/rcc-check-your-syste...
