An article discussing the current state of package manager vulnerabilities and what actions an administrator can take appeared in the February 2009 edition of the ;login: magazine.
We released a technical report decribing a broad look at the security of package managers. This is available as University of Arizona Technical Report TR08-02. A longer version is available in Justin Cappos' dissertation
In addition, there are several research papers that describe our research package manager Stork.