No, it is unfeasible (at least for me) to validate every single package. So at some point I have to trust someone/ some party and I chose to trust more the maintainers of my distro than a person asking me to run sudo from curl.
And some people trust the software authors more than some random repo maintainers who don't have enough time to even make sure the packages they update are actually still compatible with each other.
You do not need to trust anyone if the program is run inside a sandbox. This sandbox is supported in hardware since 80386, but Linux doesn't make proper use of it.
In Linux, to install virus or malware, you need to download, compile, and install virus manually, OR user can install it using `curl ... | bash`, which is much simpler method. Even newbies can install new malware using `curl ... | bash`.
