Non-profit Open Source distributions also and already package and verify open source packages (arguably often with a higher quality of analysis than Red Hat).
You pay red hat for compliance reasons (availability of a support you'll never call, mostly).
did RPM packages get compromised?
not really, no.
So why else do we pay someone to package and certify/verify open source projects? This is absolutely 90++% of what should be RedHats core day job.
Non-profit Open Source distributions also and already package and verify open source packages (arguably often with a higher quality of analysis than Red Hat).
You pay red hat for compliance reasons (availability of a support you'll never call, mostly).