If you're not manually checking the PGP-signed SHASUMs of the software you're downloading for slackware, you're not getting any more security the defective apt software we've been running on debian.
Edit: As pointed out by elosius, verifying SSL certs when you download packages would give you some degree of security (and that's what I often end up having to do on Windows), but unless you have access to signed digests from the package author, you won't get any better security than the broken debian apt system.
Personally, I'll choose the latter. Not only is apt a middleman, now it's a compromised middleman. Throw out the middleman and you have only yourself and the author.
The only difference between me validating the source and building and installing it myself, and trusting apt to do all that for me, is that apt has been proven to be vulnerable. I'm not going to purposely install non-vetted code on my system, but now it's been proven that apt very well might do that. Again, how is a broken apt more secure than me manually vetting the source, when it comes to my own system?
Again, I fail to see how getting the source directly from the author and verifying the integrity of the source package is less secure than getting it from third-parties in binary form?
Most people won't, making it a net loss to remove an automated system. Also I'm betting you're not getting the source from the author unless you know the author in meatspace. You're trusting his DVCS (github?) not to be owned and his account not to be owned, then trusting someones gzip / tar program, then trusting their webhost who holds that source code file.
There is the interesting aspect that you probably don't spend all your time on software XYZ, but the package maintainer probably does, so if there is funny business, a distro package maintainer is much more likely to notice than yourself.
I think what people are sensing, even if they can't put their finger on it, is that you're applying fairly arbitrary standards of what's good and bad here. In reality, security is hard to the point of sheer impossibility regardless of what you do, if you hold everything to equally strict standards. If this leads you to write off apt probably the only consistent thing to do is stop using software entirely, honestly. Nothing is secure to that standard, and even with "certified software" one would forever be wondering about whether the certifiers have their own motives. It seems disingenuous to try to use this as an excuse to slag apt specifically, when with the standards you're using you ought to be yelling about many more things, including your putative solution. (How are you sure your signature checking code wasn't compromised?)
