[subway]

It's the same vendor whether it comes from their site or the package repository.

Prove it.

The package manager allows you to cryptographically verify the binary was inspected by somebody you trust (the package maintainers). While windows has added code-signing/verification capabilities, many installers are unsigned, and those which are signed don't have a useful trust anchor.

[moron4hire]

Prove the repository maintainer doesn't blanket approve things because they are overwhelmed.

[voltagex_]

That's what the mailing list / debbugs are for. Each package has a maintainer(s) who are responsible for looking after the package creation and upload.

A new upload creates an audit trail that could be checked if needed.