All of the official Ubuntu repositories (encompassing anything that you can find on archive.ubuntu.com
or its mirrors, as well as some others) are entirely curated. This means main
, restricted
, universe
, multiverse
, as well as -updates
and -security
. All packages in there have either come from Debian (and so have been uploaded by a Debian Developer) or have been uploaded by an Ubuntu developer; in both cases the package that is uploaded is authenticated by the gpg signature of the uploader.
You can therefore trust that every package in the official archives has been uploaded by either a Debian or Ubuntu developer. Furthermore, the packages you download can be verified by the gpg signatures on the files in the repository, so you can trust that each package you download has been built on the Ubuntu build farm from the source that was uploaded by an Ubuntu or Debian developer¹.
This makes outright malware unlikely - someone in a position of trust would need to upload it, and the upload would be easily tracable to them.
This leaves the question of more surreptitious nefariousness. Upstream developers could put backdoors into otherwise useful software and these could make it into the archive - in universe
or multiverse
, depending on the license. People do run security audits of the Debian archive, so if this software became popular it's likely that the backdoor would be discovered.
Packages in main
have some extra checking and get more love from the Ubuntu security team.
PPAs have almost none of this. The guarantee you get from a PPA is that the packages you download were built on the Ubuntu build infrastructure, and were uploaded by someone with access to one of the GPG keys of the Launchpad account of the listed uploader. There's no guarantee that the uploader is who they say they are - anyone could make a “Google Chrome PPA”. You need to determine trust in some other way for PPAs.
¹: This chain of trust could be broken by an extensive intrusion into the Ubuntu infrastructure, but that's true of any system. The compromise of a developer's gpg key would also allow a black-hat to upload packages to the archive, but since the archive emails the uploader of each package this should be noticed quickly.
Please, open-up update-manager or Software Sources depending on your distro then add/tick universe repository from the software sources.
Read https://help.ubuntu.com/community/Repositories/Ubuntu "Adding Repositories in Ubuntu"
GUI-based repository management is normally accomplished via "Software
Sources". This interface can be accessed via several methods. For the
latest versions of Ubuntu, the easiest way is to go through the
"Ubuntu Software Center". Open the software center, then from the Edit
menu select "Software Sources". You will have to enter your password
to change settings in this window.
For older versions of ubuntu, there are several options:
Main Menu: System > Administration > Software Sources.
Synaptic : System > Administration > Synaptic Package Manager : >> Settings >> Repositories.
Main Menu: Ubuntu Software Center : >> Edit, Software Sources.
Best Answer
This question interests me, and I'm trying to get another four reputation points, so I can upvote a useful answer I recently found here on ask Ubuntu... so I tried to find the answer:
The ones who maintain "Universe" are the Masters of the Universe. On their mailing list there was a discussion on security updates for Drupal, in August 2014. One answer worth reading contained "This is a fundamental difference between main and universe" and "users can always opt to not install universe packages". So if this information is correct it pretty much answers your question, I would say.
Probably Debian has faster security updates over its whole set of packages, than Ubuntu has over it's Universe branch... so you might consider using that distribution instead, if you need (server) programs not included in Ubuntu "Main".