If I might chime in, I am a bit worried about all the automatic installation going on in galaxy, and it seems that the trend is to enhance this. A small R or python script calling into well known libraries that come from well known repositories (bioconductor etc… ) I can check. (Of course I install too much stuff from github, bioconductor etc… without checking).
I'm not sure it is comparable to a entire Linux distribution, its more like an Appstore, like pypi, bioconductor or gems, and yes that is
The app stores are checked by Apple or google for malicious code, the apps are sandboxed. There are many eyes for python, bioconductor packages and gems because much more people interact with them directly compared to galaxy-tools.
Sorry maybe I was misleading. I only want a central storage for binaries/tarballs where the source can not be trusted for long term. 'long term' and 'trusted' needs to be defined in such a discussion here. I do not think we should copy python packages that are stored in pypi. We should make it easy as possible to install them in our repository. If you do not trust pypi, we can offer a mirror. Some goes for gems.
Trusted for me means I trust the source not having dangerous code. I trust pypi more than some mirror, bioconductor base packages from more than some freshly published package that few people have used, tools from galaxy core developers more than from tool-shed etc… I know this is not the type of trust you were talking about. best, ido