At the moment, we don't really validate the packages.  Most of them
are included as-is from PyPI, while the rest are build from the source
distributions, also from PyPI.

There are two concerns regarding this.  First, the wheel might not match
the source distribution.  In the worst case where this is intentional,
malware could be sneaked in by a bad actor.  Circumventing this is
nontrivial, however, as wheel building AFAIK is still non-reproducible
and the build matrix can be quite large to cover with our current resources.
More importantly, building every binary distribution would essentially
make us yet another Nix, which has already matured for over a decade.

The other concern regards the malicious codes inside the original
source code.  Debian, for example, inspect the source code and changes
of every package, but such work is incredibly difficult and tedious.
I know I am not qualified to do it myself and I do not know anyone
who can that is willing to give a hand.

I would love to hear any idea to improve the quality of our repository.