Commercial Linux distributions like Red Hat, Suse and Canonical stake their reputation on compiling a trustworthy collection of open source software, in exchange for money. Unfortunately they disclaim any legal responsibility, but at least they make reasonable efforts to analyze the security of the software they are distributing, in order to avoid PR disasters.
For some reason the same business model has not made many inroads for higher-level language ecosystems, although many companies are trying - for example the Python Conda distribution.
Although the "repo" is a list of manifest files that include third-party download sources. So even if there is an approval process it seems to be quite vulnerable to including malware.
For some reason the same business model has not made many inroads for higher-level language ecosystems, although many companies are trying - for example the Python Conda distribution.