What testing is done to make sure no packages in the repos have malware?
NOTE: This is answered more in-depth by a member of Ubuntu Security Team in this answer. My answer below was written two years prior to the linked answer.
Canonical has Ubuntu Security Team, which is a paid group, that professionally reviews and supports software submitted to Ubuntu archives, as well as releasing fixes (aka the security updates) .
From the Ubuntu Wiki:
The Ubuntu Security Team often performs audits on software before it is to be officially supported. Once vulnerabilities are found, the Security Team uses responsible disclosure to let others know about the issue.
The Ubuntu Security Team doesn't work on the packages alone but does collaborate with others, in particular Debian security team, and vulnerability trackers such as MITRE CVE database , and maintains its own CVE Tracker.
The same wiki page also lists that they're actively involved in development of tools to protect form new vulnerabilities; among others , the tools are AppArmor, CompilerFlags, etc.
In particular, Security Team FAQ states:
Software installation tools that come bundled with Ubuntu, such as the Ubuntu Software Centre and Update Manager, validate packages when they are installed to make sure they are secure and have not been manipulated or trojaned during their download. Also, a large subset of packages in the archive are officially supported by the Ubuntu Security Team and get timely updates for security issues that may arise
So in other words put by thomasrutter , the packages are signed cryptographically to ensure their validation.
The specific repositories that Security team oversees are stated in the FAQ as well:
All binary packages in main and restricted are supported by the Ubuntu Security team for the life of an Ubuntu release, while binary packages in universe and multiverse are supported by the Ubuntu community.
Of course, software nowadays runs in millions and millions of lines of code, in variety of languages, so as our esteemed moderator ThomasW. noted properly , the security team are humans too, and they can't possibly keep track of everything. So yes, some vulnerabilities and bugs can slip through , especially in universe and multiverse repositories , but there are people and mechanisms in place to ensure that those vulnerabilities and bugs don't run rampant .