To provide an example of the sorts of attacks an attacker can launch on package managers, this page describes an example attack called a replay attack. Other attacks are described on a separate page.
via Attacks on Package Managers.
Here’s a piece of advice I always adhere to for any kind of upgrade.
Manually update your systems (and local mirror caches). Know when package updates become available and what the versions should be. Manually verify and install the updated packages (or add them to your local mirror cache that your systems update from) rather than relying on automated updates. We have observed mirrors many months out of date for some distributions, so you should check periodically that your mirror is being updated.
The default RPMforge repository does not replace any CentOS base packages. In the past it used to, but those packages are now in a separate repository (rpmforge-extras) which is disabled by default.
You can find a complete listing of the RPMforge package packages at http://packages.sw.be/
via AdditionalResources/Repositories/RPMForge – CentOS Wiki.
The rpm at this link allows for yum to see the additional packages — such as alpine and perhaps others that were missing in the base.