not only do you have to setup the infrastructure to host multiple repositories (deb, rpm), you also have to build and deploy multiple packages of sufficient quality that you don’t break something else, which for a common/popular package would make the malware immediately noticeable.
not only do you have to setup the infrastructure to host multiple repositories (deb, rpm), you also have to build and deploy multiple packages of sufficient quality that you don’t break something else, which for a common/popular package would make the malware immediately noticeable.