Fedora servers were indeed hacked if I remember correctly and malicious packets were uploaded but it was detected before they reached the users.

Repo security is certainly very important. But well, ultimately you have to trust someone?

The canonical example is http://cm.bell-labs.com/who/ken/trust.html

But I guess that there are two ways to feel really secure : either use openbsd, or just don't use the internet.

google "debian openssl fiasco"

Well that's not really fair. That was a software bug. It wasn't malware, and it had nothing to do with software installation.