> Besides, which harmful thing is more likely to happen, your package repository gets owned, or someone sends a maliciously crafted request to your server?

If you have ports closed because you run desktop then the former? It's fine do a little admin work (or it be a job of itself) on (production) servers, it's not if you just want to have secure desktop, which was my original complaint. Besides, there are plenty of examples in various projects where downstream got compromised, so why introduce another link that can potentially break.

> I have no idea what "running similar ship to mint" means or implies.

That they shipped infected isos. There are other examples where you'll see brilliant engineers give little to no thought to security, the fact that m:tier guys might contribute great work for openbsd doesn't mean that they can also keep artifacts secure and I as the end users shouldn't have to play sherlock to figure out if I can trust them.