That's a great discussion. I don't have the answer to that. I guess this is a normie makes up the majority problem right? I don't mind adding pgp keys and repositories to my machines, with Debian/ubuntu machines you basically have to do that anyway if you want any software from the past year on your machine. I love dnf and RPM packages, similar could be said for .deb as well just not as appealing to me as rpm is.

I like obtaining packages from the maintainers directly, assuming they take it seriously. Ideally package maintainers sign their commits and distributions and were good. That's what I do, and encourage. My projects require a build step 99% of the time (it's that mono-repo life) and I sign everything I can. I think my signing tool is broken though I need to fix that and resign all my packages. That said, my my build tool is foss and available, so my builds are repeatable if you use my build tool + git :)

I think a centralization/power/corruption problem appears once the app store gets too large, at that point if were going to have a dozen app stores "wanting to do it better" why not obtain software from the developer.

I think android does this well, apks are universal and signed. You can use obtainium to install them with updates directly from the developer. I use mozilla's beta release from their ftp (because that's all they offer from their ftp site) and obtainium scrapes that for me.

In that specific case, I'm not sure it's the app store's responsibility to take a position on that anyway right? I think the app store starts to have an obligation to it's users, and it removes the communication channel with the developer as well. Point is, I'm not sure the app store has an obligation to protect user's from "political" positions, simply obvious malware. Which is something too, but there is still a point to review updates before installing them as well. Obtainium allows for viewing changelogs and release notes if using supported platforms like github, or manually adding a regex html scraper.