>all of these package managers have vulnerabilities that can be exploited by a man-in-the-middle or a malicious mirror.
Well, that's how software is, but that article is from 2008 and things have gotten a lot better in the meantime (I think archlinux wasn't even signing their packages back then).
If the distribution's private keyring isn't compromised and you don't have third-party repos, your packages are as trustworthy as your distribution team (and upstream).
