First post, so please let me know if I did anything wrong. Also sorry if this is a dumb question.
I downloaded Filezilla (which i now understand has malware bundled with it, at least in the Windows version) from the official repository and I’m a bit concerned that it may include malware. I’m not sure what the process is for a program to be included in the official repo. I looked on the Arch Wiki and couldn’t find a clear answer, but I very well may have missed something.
Is the code fully audited by the maintainer before being included in the official repo?
Should you trust the packager and the project? No more than you should trust my opinion as some guy on the internet on a forum you’ve been on for 3 hours. Go thru the source code yourself.
If you can’t or don’t want to, that’s up to you if you trust the person who packaged it.
Personally I trust anyone proven to be worthy as an Arch trusted user enough to use Arch. Only you can make that call though.
Filezilla is not malware. At least not that I know of in Linux.
Edit: just read it may have contained some type of adware at some point. I was not aware of that.
Windows seems to be poised with adware once you login anyways in Microsoft account. Easier to get adware on win than on Linux, we install software from package manager rather than multiple sources.
From what you said about malware, the report was that it had been bundled with something dodgy. It is not bundled with anything on Linux. On Windows, it may be available from an untrusted source (Microsoft store? ) and who knows - but I I do not expect that to arise here. I use it pretty often to enable file transfers for different machines, phones and tablets as required…FWIW.
The packages in official Arch repositories (core, extra, community, and multilib) are all packaged by Arch developers and Trusted Users. Their names and email addresses are known to us (use pacman -Si package_name to see who packaged it). EndeavourOS ships with an additional repo called endeavouros). Packages in it are packaged by somebody on the EndeavourOS team, probably @manuel or @joekamprad (unfortunately, the name of the packager is listed simply as “EndeavourOS”).
The mere act of using Arch Linux (or EndeavourOS) presupposes trust in the official repositories and their maintainers. Specifically, we trust them not to intentionally or by omission package malware into the software we download from the official repositories. Without this trust, one should not be using Arch Linux. It does not matter what package we’re talking about, whether it is something that every Arch Linux user has installed, like bash, or something very specific like filezilla – they are packaged by the same group of people so this trust is all or nothing. It’s as simple as that.
The same is true for any unofficial, third-party repositories you yourself add to your pacman.conf: you need to trust the people who maintain them in order to use them (so it’s a good idea to know who is the maintainer). Read and understand this before you add a third-party repo: [FAQ] The dangers of using 3rd party repos
However, If you are concerned about some third-party (for example, a mirror server owner, or a hacker with access to a mirror server) intercepting your downloads and serving you malware packaged into packages, that is impossible. Only the original packager has the power to include malware into packages, because all packages are checked against any tampering by the package manager on your computer. If the signature of a downloaded archive file does not match, you get an error and nothing is installed. So, no trust in mirror owners is necessary.
None of this applies to the AUR, as the AUR is not an official repository and it only contains PKGBUILD files that contain the instructions how to package something yourself on your local machine. For any software from the AUR, you are the packager, using somebody else’s build scripts (who may or may not be trustworthy), so it is your responsibility to make sure no malware gets packaged into the packages you build.
Well, that in itself is not the reason why I trust you (if you were malicious, you could use a different PKGBUILD than the one that is publicly available), and it’s not the reason to trust a third party repo, as you have no guarantee that the publicly available PKGBUILD is the one used to build the package in the repo.
Of course, since I use EndeavourOS, that basically means that I would trust you and @manuel, and everyone else on the team (as well as all Arch TUs) with access to my computer. If that were not the case, I would not use EndeavourOS. The trustworthiness of the EndeavourOS team has been proven again and again, at least in my opinion.
Thanks a ton for all of your responses. Sorry again for the dumb question, I just get really paranoid about this type of thing, but your explanations make perfect sense. Thanks again, and take care.
) and who knows - but I I do not expect that to arise here. I use it pretty often to enable file transfers for different machines, phones and tablets as required…FWIW.