Do you review every package in your package manager for back doors/trojans - or do you rely on the social circle upstream to do this work for you?

How is this any different than running some random .sh script?

The assumption is that package-manager code is reviewed - that same assumption can be applied just as equitably to wget'ed .sh files.

tl;dr - you are reviewing everything you ever run on your system, right?