That doesn’t solve the problem, just moves the chain of trust.

Not at all. It creates a chain of trust instead of relying on random unknown github accounts.

When was the last time a major distribution found a backdoor in a popular package?

> When was the last time a major distribution found a backdoor in a popular package?

Packagers not finding a backdoor doesn't mean that there isn't one. How many packagers actively audit the code they support for a given distro? It is not uncommon for distros that support esoteric platforms will claim a given package works for that platform because it compiles, but it reliably segfaults on execution. Who's responsible for that? Packagers have even introduced[1] vulnerabilities by "fixing" code they didn't fully understand at the time.

Packagers have a difficult, thankless task, and we're doing them no favors by being confused at what their job is. They ensure that the package builds, integrates with the rest of the distribution as much as possible and updates/patches swiftly when issues are found upstream.

[1]: https://lwn.net/Articles/282038/

> Packagers not finding a backdoor doesn't mean that there isn't one.

Nice stramwan there - when the alternative is trusting random strangers on github.

> How many packagers actively audit the code they support for a given distro?

Many, plus large companies do plenty of vetting and indemnification on popular distros.

There are very large contracts involved in this. Do you think the typical bank installs random stuff from the Internet on their payment processors?

> Packagers have even introduced[1] vulnerabilities by "fixing" code they didn't fully understand at the time.

Another strawman. How many vulnerabilties have been prevented or fixed by packagers? Quite a good number.

> we're doing them no favors by being confused at what their job is.

Speak for yourself.