How is it flawed? If the intent is to investigate Linux packages isn't the repositories of Linux distributions the best place to study?

Debian for example packages PyPi packages and the maintainer could introduce a backdoor in the version provided by Debian. Only focusing on PyPi wouldn't catch that case.