> Besides, which harmful thing is more likely to happen, your package repository gets owned, or someone sends a maliciously crafted request to your server?

If you have ports closed because you run desktop then the former? It's fine do a little admin work (or it be a job of itself) on (production) servers, it's not if you just want to have secure desktop, which was my original complaint. Besides, there are plenty of examples in various projects where downstream got compromised, so why introduce another link that can potentially break.

> I have no idea what "running similar ship to mint" means or implies.

That they shipped infected isos. There are other examples where you'll see brilliant engineers give little to no thought to security, the fact that m:tier guys might contribute great work for openbsd doesn't mean that they can also keep artifacts secure and I as the end users shouldn't have to play sherlock to figure out if I can trust them.

> users shouldn't have to play sherlock to figure out if I can trust them.

If you don't trust them, then apply the errata yourself and compile from source. It's not that difficult. If you have many machines you can do it on one, build a release and roll that out on the others.