The problem is that npm, cargo, etc. set the standard in people's minds for how package managers work, when the Linux community has been working on securing the supply chain issues for decades.

Like requiring a WoT (usually with physical meetups) vetting people creating packages, FTP-masters, dedicated clean buildbots, etc. in addition to the packages themselves being signed and so on.