The following is a note taken from a post by Luca Venturini, that i found very interesting and resumes all questions about package managers and software signatures.

If the package manager is from Debian, you can trust it. The signatures are checked when the package is formed and then new ones are checked with each download.

Some considerations regarding packages in general, but also Electrum (which has six or seven dependencies and all Python related):

. You are adding someone (Debian developer) to the chain of people you can trust.

. You are getting a version that is tested by many more people than other versions, so it is less likely to have major bugs.

. In case of major bugs, or security issues, the package manager keeps the package up-to-date for you. Whereas with traditional downloading, you risk not knowing this and using an insecure version.

. The last point also applies to all libraries and dependencies (this is more important than it seems, because security bugs are often in the dependencies, as was the case with openssl).

. You have an older version than the current one. This means that you do not have all the new features introduced. This is a disadvantage for some things, but an advantage for others. Think for instance of protocols that have not yet been standardized. Developers often make bets on what to do, only to go back. Another example is the documentation you find around. If there is a tutorial online, it is more likely to cover a widely used version.

In practice, I can tell you what I do.

I always use Debian stable packages. When I find a software feature that I absolutely need and that is not in the Debian stable package, I ask myself a hundred times if the world needs that feature and if there is a way around it. If the answer is no, then I install the necessary junk as well as the new package. This does not apply to programs related to something I am developing or something I know. In that case I download the package, download the dependencies and try to understand in detail what I am doing (hours, not minutes). Electrum for me is in the latter case, so I download it from the site. But if one does another job, deals with these things in one's spare time, is still trying to understand, then one absolutely must use the Debian package version.

That leaves one last category of people, those who use another operating system. These are wrong from the start, so they must delete the junk they use (Win? Mac? Mint, arch and the like?) and install Debian stable.