First post, so please let me know if I did anything wrong. Also sorry if this is a dumb question.
I downloaded Filezilla (which i now understand has malware bundled with it, at least in the Windows version) from the official repository and I’m a bit concerned that it may include malware. I’m not sure what the process is for a program to be included in the official repo. I looked on the Arch Wiki and couldn’t find a clear answer, but I very well may have missed something.
Is the code fully audited by the maintainer before being included in the official repo?
From what you said about malware, the report was that it had been bundled with something dodgy. It is not bundled with anything on Linux. On Windows, it may be available from an untrusted source (Microsoft store? ) and who knows - but I I do not expect that to arise here. I use it pretty often to enable file transfers for different machines, phones and tablets as required…FWIW.
The packages in official Arch repositories (core, extra, community, and multilib) are all packaged by Arch developers and Trusted Users. Their names and email addresses are known to us (use pacman -Si package_name to see who packaged it). EndeavourOS ships with an additional repo called endeavouros). Packages in it are packaged by somebody on the EndeavourOS team, probably @manuel or @joekamprad (unfortunately, the name of the packager is listed simply as “EndeavourOS”).
The mere act of using Arch Linux (or EndeavourOS) presupposes trust in the official repositories and their maintainers. Specifically, we trust them not to intentionally or by omission package malware into the software we download from the official repositories. Without this trust, one should not be using Arch Linux. It does not matter what package we’re talking about, whether it is something that every Arch Linux user has installed, like bash, or something very specific like filezilla – they are packaged by the same group of people so this trust is all or nothing. It’s as simple as that.
The same is true for any unofficial, third-party repositories you yourself add to your pacman.conf: you need to trust the people who maintain them in order to use them (so it’s a good idea to know who is the maintainer). Read and understand this before you add a third-party repo: [FAQ] The dangers of using 3rd party repos
However, If you are concerned about some third-party (for example, a mirror server owner, or a hacker with access to a mirror server) intercepting your downloads and serving you malware packaged into packages, that is impossible. Only the original packager has the power to include malware into packages, because all packages are checked against any tampering by the package manager on your computer. If the signature of a downloaded archive file does not match, you get an error and nothing is installed. So, no trust in mirror owners is necessary.
None of this applies to the AUR, as the AUR is not an official repository and it only contains PKGBUILD files that contain the instructions how to package something yourself on your local machine. For any software from the AUR, you are the packager, using somebody else’s build scripts (who may or may not be trustworthy), so it is your responsibility to make sure no malware gets packaged into the packages you build.
Well, that in itself is not the reason why I trust you (if you were malicious, you could use a different PKGBUILD than the one that is publicly available), and it’s not the reason to trust a third party repo, as you have no guarantee that the publicly available PKGBUILD is the one used to build the package in the repo.
Of course, since I use EndeavourOS, that basically means that I would trust you and @manuel, and everyone else on the team (as well as all Arch TUs) with access to my computer. If that were not the case, I would not use EndeavourOS. The trustworthiness of the EndeavourOS team has been proven again and again, at least in my opinion.