git-lfs docs only suggest to use packagecloud, but there's a base apt package now, as referenced by https://askubuntu.com/a/1418540/431220.
The question is: how can I as a consumer know if this apt package is safe to use, instead of relying on the packagecloud solution, which is frankly (to me) 10x worse, since I do not want to be dealing with manual package management.
The packaging system has a lot of transparency so you can learn how to check these little details for yourself.
Working backwards:
Each package in the Ubuntu repositories is cryptographically signed, and that signature is routinely checked by apt to prevent man-in-the-middle attacks.
The package in the Ubuntu repositories comes from an upstream Debian source package. (See apt show git-lfs)
The Debian package is maintained by a team, and has been uploaded by the same person for years. (See https://tracker.debian.org/pkg/git-lfs)
So it's really a question of whether you trust that one volunteer who has been (thanklessly) maintaining that same package for many years. It's the same question you had before: Did you trust the developers of the software?
To go truly deep, you can audit the code at any step from the developers to Debian to Ubuntu (it's open source). How deep you want to go is up to you. The transparency in both code and process is there.
Did you look?
Your question to me is somewhat clear; and you didn't provide a release (thus I've used my own), but looking at the package details can provide some level of security
https://packages.ubuntu.com/mantic/git-lfs
That page along gives me great details, including Original Maintainers are more (beyond just MOTUs)
It tells me it's a community supported package (thus being found in universe), providing links to the changelog which actually confirm details from the first page I provided (ie. maintained mostly by Debian)
How far in this exploration I'd go will depend on how secure I want to be, which maybe exploring in upstream Debian sid, then to its' source, looking at past changes & how regular they are especially post-changes occurring further upstream etc. etc.
How secure something is is very subjective though, and how far I'll go will depend nervous I am, and how much security matters for my intended usage.
