Linux desktop users are so trusty; the only reason half of them aren't owned yet is because they aren't being targeted.
Groups doing Windows malware are routinely doing things like reverse engineering vulnerabilities from binary diffs within hours of Microsoft releasing a patch. If they would spend even a fraction of the skill and effort on targeting Linux desktop users, plenty of Linux users would be owned fast. And unlike with Windows, the Linux community as a whole hasn't spent years evolving ways to respond to this quickly (with the notable exception of _offering_ security updates to address vulnerabilities quickly... through some channels and not others, and many users update twice a year at best).
How much software from hundreds of third-party repos (e.g. AUR) and third-party package managers (e.g. pip) do devs use? Taking over an abandoned package (maybe a dependency of a more popular package), or worse actually legitimately maintaining a package for half a year before adding the malware, isn't hard. And once the malware is on the computer, there are few safeguards for the actual data (malware can probably encrypt $HOME or exfiltrate ~/.ssh/*).
The Linux ecosystem is more than the kernel; it's everything other than the kernel that needs hardening. Especially the culture; the "it can't happen to us" attitude needs to go.
No, the other half would simply get lucky and the malware wouldn't reach them.
No malware can reach every system, especially in the Linux world which is so fragmented. Users will only use repos relevant to them - for example, Fedora users won't use AUR/PPA, malware on crates.io would only reach Rust developers etc. Also, it would be much harder to get malware into any distro's primary repos than dedicated "lower standards" repos like PPA/COPR/AUR, which many users simply don't use. And realistically malware authors will only be able to infect some packages, and for some time.
Groups doing Windows malware are routinely doing things like reverse engineering vulnerabilities from binary diffs within hours of Microsoft releasing a patch. If they would spend even a fraction of the skill and effort on targeting Linux desktop users, plenty of Linux users would be owned fast. And unlike with Windows, the Linux community as a whole hasn't spent years evolving ways to respond to this quickly (with the notable exception of _offering_ security updates to address vulnerabilities quickly... through some channels and not others, and many users update twice a year at best).
How much software from hundreds of third-party repos (e.g. AUR) and third-party package managers (e.g. pip) do devs use? Taking over an abandoned package (maybe a dependency of a more popular package), or worse actually legitimately maintaining a package for half a year before adding the malware, isn't hard. And once the malware is on the computer, there are few safeguards for the actual data (malware can probably encrypt $HOME or exfiltrate ~/.ssh/*).
The Linux ecosystem is more than the kernel; it's everything other than the kernel that needs hardening. Especially the culture; the "it can't happen to us" attitude needs to go.