As Linux continues to grow and develop, and the more we use Linux, the greater the threat from viruses.
We also know that a virus/threat in Linux (if any) would have difficulty running or spreading when it is running as a normal user, but it is a different story if the virus/threat is running as the root user.
An example of this danger would be if a virus is tucked inside a PPA (intentionally or unintentionally) or if an application has an intentionally planted backdoor (e.g., pidgin could secretly send passwords to a particular address).
If we add software from a Launchpad PPA, is there any guarantee that software is from free viruses/backdoor threats?
Every package's install script has root access to your system, so the mere act of adding a PPA or installing a package from one is an implicit statement of trust on your part of the PPA owner.
So, what happens if your trust is misplaced and a PPA owner wants to be naughty?
In order to upload to a PPA, a package must be signed by a GPG key unique to the launchpad user (indeed, the same key they signed the code of conduct with). So in the case of a known malicious PPA we would simply ban the account and shut down the PPA (affected systems would still be compromised, but there's no good way fix them at that point anyway).
To some extent Launchpad's social features can be used as a bit of a preventative measure of bad users -- someone who has a history of contributing to Ubuntu and some established Launchpad karma, for instance, is less likely to be setting up a trap PPA.
Or what if someone gains control of a PPA that isn't theirs?
Well, this is a bit tougher of a threat scenario, but also less likely since it requires an attacker getting both the launchpad users's private key file (generally only on their computer) as well as the unlock code for it (generally a strong password not used for anything else). If this happens, though, it's usually fairly simple for someone to figure out their account has been compromised (Launchpad will for instance email them about the packages they're not uploading), and the cleanup procedure would be the same.
So, in sum, PPAs are a possible vector for malicious software, but there are probably much easier methods for attackers to come after you.
Establishing a (perhaps distributed) mechanism of trust ratings for PPAs has been on the USC roadmap for a while, but it hasn't been implemented yet.
There is never any guarantee but in a community backed environment, we thrive on "belief". I've added atleast 20 PPAs to my sources and never experienced a problem until now. If,by any chance and as you mentioned, a threat/virus/backdoor is planted on my system by a PPA, I'd come to know about it somehow, courtesy of the community and simply remove it. And BTW, before adding a PPA, I always check what packages are listed in it.
PS: Pidgin never sends usernames and passwords to the servers (and never to a third party!) "secretly". Everything is done with the user's consent. In order to keep you connected seamlessly, Pidgin cannot ping you everytime it sends the login credentials to the servers. It is expected that you have authorised it to do so, once you have provided it the details. I'd rather think twice before calling Pidgin a "backdoor". :)