Recommend packag manager hardening

For example I use for apt this simple hardening:

sudo apt install apt-transport-https
sudo sed -i 's|http://|https://|g' /etc/apt/sources.list
sudo sed -i 's|http://|https://|g' /etc/apt/sources.list.d/*.list

This will force APT to use HTTPS.

If you are feeling extra paranoid, block port 80 in firewall.

Why: http is insecure and can be tampered super trivially.

Important: while most repos support https, some may not. You will need to manually rotete them to find out.