The current software distribution model has several failure modes. A different model is needed with multiple package signers. I wrote an article about it. Here are some of the possible compromises, from most serious to least serious:

• Build host - the machines that compile the source into binary packages are compromised. In this scenario, code can be injected by the malicious party into the package just before it is signed and prepared for distribution. All clients that install the updated packages are affected. A software audit cannot identify the altered packages because the alteration happens after binaries are generated.
• Distribution host and Signing key - the machines that host the packages for distribution (web servers) are compromised and the package signing key is compromised. The effect of this is the same as a build host compromise.
• Source repository - the machines that host the software source-code are compromised. This allows code to be injected and all clients are affected. However, a software audit can uncover the injected code.
• Insider threats - an insider can insert non-obvious security holes into software they are responsible for.
• Signing key - the key used to sign the software distribution is compromised. This would allow the malicious party to compromise only specific targeted clients through a "man-in-the-middle" attack and DNS poisoning