23 Dec
2021
23 Dec
'21
17:57
¡Hola, Carlos! :D
AFAIK no, because packages are signed using GPG. If the clone rogue server changes a package, the signature would fail - The rogue server could repackage using a different signature and accordingly update all the rogue repo metadata, but that different signature would make package installation at the clients to fail, unless those clients validate that rogue signature.
I agree. That's why it's important to use the appropriate keys and certificates when installing outside packages.