If you are simply looking for package repositories, there are a number of defaults built into the yum client and there is also a list of "official" ones listed at the YUM website at Duke.
If you are asking "how do I know if these packages aren't tampered with" then there are a number of checks built into yum and rpm. The rpm itself has an md5 checksum which is verified before the package is installed. Of course someone could get around that by modifying the package and then replacing the one in the rpm with one that is valid for the modified package. This is where YUM actually goes one step further than RPM. With RPM the use of GPG key signing is optional. RPM will give you a warning, but still will install the package. With YUM, it will automatically retrieve the Redhat/Fedora GPG key and verify that the package has been correctly signed with the proper key.
I'm not that familiar with the inner workings of APT-RPM, but I would imaging they are pretty similar.
To be honest, I think you're at much lower risk using an automated package installer rather than depending on yourself to check vulnerability lists on a daily basis to make sure all packages are updated. Makes a world of difference to know that you have something like yum when the next Apache remote root vulnerability comes out and you happen to be on vacation that week