http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html The recommendation to use only trustworthy official repositories is definitely correct. I don't know how other distros handle the mirror-server problem. But as far as Ubuntu is concerned, there are centralized security updates via security.ubuntu.com (and not via mirror servers). Thus, an attacker would have to perform a man-in-the-middle-attack between s.u.c. and my computer - very unlikely . For non-security updates the first sentence applies (i.e. to stick with the default servers or - if you're paranoid - with archive.ubuntu.com). But again - other distros might be more affected. Any users of these distros who can deliver some insight?