When I’m looking for a package that’s not in the official repos, I add only either popular repos with active maintainers who do regular updates or ones from packagers I know personally.
First one is hard to fake for obvious reasons. I guess someone could try to know me personally and somehow engineer a situation where I would want to have a piece of software that they package, but that’s arguably even harder to pull off and is certainly not worth it for stealing one nerd’s worth of money.
Convincing people to use it is also hard.
When I’m looking for a package that’s not in the official repos, I add only either popular repos with active maintainers who do regular updates or ones from packagers I know personally.
First one is hard to fake for obvious reasons. I guess someone could try to know me personally and somehow engineer a situation where I would want to have a piece of software that they package, but that’s arguably even harder to pull off and is certainly not worth it for stealing one nerd’s worth of money.