Linux packages mirrors

Every package in the repositories is cryptographically signed. Your package manager checks and ensures that the package is genuine and made by the actual distribution maintainers. It would decline the installation of a package that has been tempered with. Side note: The original developers of a software do not usually provide the binary packages of their software. The distribution maintainers get the source code from the developers (upstream) and build the software. This process is highly automated, but includes some code reviews. Conclusion: All mirrors your distribution gives you to choose from are piratically safe. If any problem will emerge, it will be discussed in public and it will be fixed. If you are taking risks with software sources, like you do using the AUR on an Arch based distribution for example, those risks will be clearly stated (like in Manjaros package manager interface). If you add your own sources found on random websites, that’s when you clearly undermine security.