Ok, so it's pretty clear they can't be trusted to manage their own Debian package repos.

But they don't manage the infra around Docker hub. If they were publicizing their own Docker container registry it might be more concerning, but we have to assume that their keys to push to Docker hub are OK.

But then if we don't trust that? What do we trust? Can we even trust their own Git repos? Maybe not if it's their own self-hosted Gitlab (+ the built in Docker registry as previously mentioned). But their code is on Github. Do we trust that? If not, where do you get the source from?

How far do you want to take it?