I am very new to all this and cannot select between Mint and Zorin OS. But I am here to ask, is it safe to use repositories mirrors like Mirrors - Linux Mint or Official download mirrors - Zorin OS for faster download speeds?
Because it looks like they’re not hosted by official developers. Is it possible that I will get hacked because of such repo? Cannot mirror owner put malware?
Also, some of them listed as http! Is it even normal? Isn’t HTTP, like, vulnerable? Or I am looking wrong way?
A good package manager will check for cryptographic signatures corresponding to downloaded packages, so that should keep you safe; even if someone intercepted and replaced the HTTP packets, as long as the official signatures themselves are fetched securely. It’d still be ideal to have the connections be over TLS, but it’s not strictly necessary for this use case. (It still doesn’t keep private which packages you’re installing, for example)
I recommend nearby state or larger/well known private universities that have known to be good computer programs. Also for consideration are ISPs, usually regional, that offer mirrors as a service.
Every package in the repositories is cryptographically signed. Your package manager checks and ensures that the package is genuine and made by the actual distribution maintainers.
It would decline the installation of a package that has been tempered with.
Side note:
The original developers of a software do not usually provide the binary packages of their software. The distribution maintainers get the source code from the developers (upstream) and build the software. This process is highly automated, but includes some code reviews.
Conclusion:
All mirrors your distribution gives you to choose from are piratically safe. If any problem will emerge, it will be discussed in public and it will be fixed.
If you are taking risks with software sources, like you do using the AUR on an Arch based distribution for example, those risks will be clearly stated (like in Manjaros package manager interface).
If you add your own sources found on random websites, that’s when you clearly undermine security.
