Untrusted? They're from RedHatSourceDumps.onion! A few years back, my mate in Contoso gave me some sources a few years back, and they were identical to the ones that showed up on RHSD the next day; I don't know anyone who's ever noticed a bit out of place. Why would they choose today to start injecting malware, when somebody would raise the alarm within a week?
Back in the real world: binary RPM packages are cryptographically signed, and I'm pretty sure source packages are as well. Who needs provenance when you can blindly assume that nobody's cracked the crypto yet (or, more realistically, leaked the keys)?
Anybody can diff the sources against upstream if they want to.
But also, how does that even mean anything? Bob submitted a patch to the mainline Linux kernel which Red Hat forked which Alice downloaded which Bob uploaded and now you're trusting Bob that the code is safe, which you were already doing anyway unless you were comparing the changes to the code yourself, which you can still do.
Back in the real world: binary RPM packages are cryptographically signed, and I'm pretty sure source packages are as well. Who needs provenance when you can blindly assume that nobody's cracked the crypto yet (or, more realistically, leaked the keys)?