Hmm. Another caveat: Downloading binaries from random sources can
be dangerous, as you never have any real idea of what they could
be capable of doing. Downloading source and compiling it is
potentially safer since you *could* audit the code to find any
problems. (Since almost no one does so, however, it's more of a
warm fuzzy than a real guarantee.)
Debian's APT system is nice because you get binary packages that
have some degree of provenance -- in order to be added to the
system they have to be signed with a registered GPG key and
uploaded to Debian's system by someone who's authorized to do so.
Debian ``checks out'' their developers, at least to the extent of
doing some identity verification (a known, trusted Debian
developer must meet with, see some identification, and sign the
key of a candidate developer).
Even that process can't protect end users from malicious code in
their packages (unbeknownst to the Debian maintainer) or from an
attack on one or more Debian mirrors.
A little paranoia can be a good thing.
Behind the counter a boy with a shaven head stared vacantly into space,
a dozen spikes of microsoft protruding from the socket behind his ear.
C.M. Connelly firstname.lastname@example.org SHC, DS