This is true, there's not that much in the repo itself to create trust. The major show of trust is here though: http://pkgs.fedoraproject.org/cgit/rpms/logrotate.git/ commit/?id= 9cb55142e51b82085d6c3136448c1f 441454e351 Fedora/Red Hat themselves changed to use this repo when the fedorahosted repos were EOL'd (see also Red Hat folks working on the github issues in January).