So long as the provider remains honorable. If they decided to bundle malicious programs -- or someone who took control if their domain and private key did -- they easily could.
They could publish updates to the program, publish new dependencies, or even publish updates to packages you normally get from your main distro repository. If you're doing apt-get update (or equivalent) how closely do you scrutinize the list of changes?
They could publish updates to the program, publish new dependencies, or even publish updates to packages you normally get from your main distro repository. If you're doing apt-get update (or equivalent) how closely do you scrutinize the list of changes?