There's another solution (like debian does), auditing what the package itself does, so that you don't allow malicious code into the repository.