I’m not one to chase the new and shiny, but how do you know a nominally months-old software package isn’t a newly compromised version at the time you download it?
I don't know about other managers, but nixpkgs has hashes of the package I'm installing, and is a git repo, so I can easily detect a history rewrite, and I have the full history of package changes over time. Since it's a git repo, I can also easily install things as of a given time.
You probably know this, but a note for the benefit of people who don’t. The entire git history, including metadata, can be modified. Unless you have an independent offline remote to compare to, this method is not 100% guaranteed to detect tampering in all cases, for example if the nixpkgs repo is compromised (or your machines’ connection to your git forge is being MITM’d)
Windows has this thing called digital signing with certificates that Linux users like to pretend doesn't exist or in the case of yesterday's Wireguard / VeraCrypt discussion, think it's an evil capitalist scheme to control the world.
Digital signing on Windows predates Mac developer certificates by years but arguably wasn't widely used outside of security-paranoid organizations.
Before someone says Linux offers GPG signing it's mostly useless without a central PKI. Developers offer the public key for download on the same server as the software. If someone uploaded compromised software, surely they would replace the key with their own.