OSNews

The question is: Do you trust your Programmer/Packager/Distributor chain?

You have to be able to trust EVERY person who has power to potentially install a backdoor in your system.
Linux distros have central repositories, here I have to make up my mind once if I trust the people behind this repository, and then I can use the whole lot of software residing within.
On Windows you install software from many different places, and every once in a while you get a malware package instead of decent software. That seems to be one of the many reasons why Windows is much more malware plagued than Linux. Other reasons are market share, stronger administrator separation in Linux and centralized, faster security updates (updates peripheral software too, not just the core system).

It is actually a little easier than this. Because each Linux distribution has a repository system for software, and all of the various servers for that distribution mirror the exact same packages then you can work out from daily traffic statistics roughly how many people download their software from that set of packages. You can then find out how many people have ever complained even once of some malware being present in such a package delivered from said repositories.

I think you may find that the first number is surprisingly large, and the second number is zero. No malware ever delivered to an end users machine via the repositories. Impeccable record.

Then, from there, it is relatively easy to evaluate if this software distribution system is worthy of your trust, compared to the situation with Windows.