Random person on the internet wrote:

The distribution model is broken! if you get your software from a distribution you have to trust the package maintainer not to add malicious code!

While the concern is valid, who would you rather trust? A random upstream author who pushed their code on github or somebody who went through a long procedure to prove their trustworthiness before they were granted the ability to put code in the distribution unsupervised?