Re: Security??? @AC re Apache and IIS
I think that you are deliberately blurring the distinction between an operating system and an application in a repository, particularly in the Open Source world.
Just because something appears in the repository for a particular OS does not mean that it forms part of the operating system! If it did, then you could imply, by applying reductio ad absurdum, that everything in the Apple App store or Google Play is part of IOS or Android respectively.
What Redhat, Cannonical, SuSE, Debian et. al. do when creating a repository is take a package which has an open or permissive licence, and compile it to run on their distribution. They take ownership of the port and packaging, but pass any security, functionality or performance problems upstream to the package owner. And in some parts of the repositories, there are community maintained packages where the Distro maintainer does even less!
So in the case of Apache, problems that have nothing to do with the build process will be passed to the Apache Software Foundation, not owned by the Distro organisation.
You were correct in pointing out that my analogy with IIS was actually not a good one though, because with IIS, the owning organisation is the same as the owner of the OS.
I don't think that was your intention, however!