Synology DSM is a GNU/Linux distro. It runs the exact same stuff as any other distro, including the kernel and all services and the filesystem. The only differences between building your own NAS with a good server distro like Debian 'stable' and running a "commercial" Synology box are:
1. The client interface to the NAS.
2. The 'cloud' services.
Only #1 is actually a deliverable with the Synology NAS. And #2 presents a terribly broken privacy policy...
For myself, I'd much rather be running something that I know is updating from an authenticated and keyyed repo than something which is attempting to make the user believe that somehow the "commercial" NAS is magically different than running a regular GNU/Linux distro...
It would be good if that was the only difference, but unfortunately NAS boxes usually lack the competent security updates and the automated delivery mechanism for them.
Compared to a good (i don't really consider Debian "good", since the 2006 OpenSSL screwup) Linux distro: you control your own software, you can make sure it's kept up-to-date and the binaries come from a trusted source (and you can build them yourself, if you want to).
If you're upset about the OpenSSL screwup, you're mad at the OpenSSL project for telling the Debian maintainer that commenting out some code would be OK.
Your beef is with ulf@openssl.org, not the Debian project.
He didn't say that he was a Debian maintainer or planning to comment out the two lines and ship it in a distro, misdescribed what he was commenting out, and didn't provide enough context to make it clear that he'd misdescribed it. (Even knowing what functions the lines he was commenting out were in would probably have been enough to ring alarm bells.)
There's a limit to how much effort the OpenSSL developers should have to put into stopping people from shooting themselves in the foot, and tracking down lines of code identified only by their line number in an unspecified version of OpenSSL to make sure they do what some random guy on the mailing list thinks they do is way over that limit.
I'm upset that in the year 2014 we still think that having the package maintainers patch ancient software instead of providing latest upstream versions is a good idea. I'm a big fan of the *BSD package management model - they give you a stable core, you pick your own (upstream, possibly bleeding-edge) versions of everything else.
Are you comparing the Synology GNU/Linux distro to Debian or some generic [non-Debian] distro to Debian?
If you are comparing Synology to Debian, then the "trusted" source argument is entirely flawed. The source, meaning both source code and source of software, of software running on Synology hardware is not Synology. Synology only makes the GUI client that runs on your machine that locally interfaces to the NAS box.
As to the Debian 2006 SSL problem... stuff happens... Apple had some silly security problems too, much more recently than 2006. And Android is so full of holes, it's a wonder the platform works at all...
However, when the generalized public buys a NAS product -- the vendor should indicate the potential security problems regarding "cloud" connections in big bold letters on the box and in the manual and have a large red warning that pops up in the user interface. My guess is most users wouldn't care, but it actually is extremely risky to connect these devices to the wild wild west open Internet.
1. The client interface to the NAS.
2. The 'cloud' services.
Only #1 is actually a deliverable with the Synology NAS. And #2 presents a terribly broken privacy policy...
For myself, I'd much rather be running something that I know is updating from an authenticated and keyyed repo than something which is attempting to make the user believe that somehow the "commercial" NAS is magically different than running a regular GNU/Linux distro...