Surely package signing already solves this?

One could sign packages in such a way that a replay attack was impossible... assuming that the
client has an accurate clock.

Have a root-level signature re-issued each day over the entire repository, that also includes
the date that it is generated.  When talking to a mirror, you can check this root file, and if
it's more than a day or two old, that's a bad mirror and should be ignored.  (This also
catches mirrors that are merely stale, which can be a problem sometimes for entirely
non-malicious reasons...)  Because the date is signed, the mirror can't pretend to be
up-to-date.

Of course, the signature has to also cover the packages in the repository or it's no use -- a
malicious mirror could serve up a fresh root cert and stale packages, and verifying a
signature made in the naive way over the entire repository would be prohibitively expensive.
(Heck, *generating* such a signature would be prohibitively expensive...)  But one could create
a tree of signatures to mitigate this -- the root signs a list of package/version/hash, and
then you just have to download the root, the list of package versions (which you usually
download anyway), and the actual packages you want...

If clients don't have accurate clocks, you could instead put the current root signature on a
single centralized server run by a trusted party (i.e. the distribution itself), and have
everyone fetch it directly; this would be reasonable scalable, since the central box would
only have to serve one few-hundred-byte file instead of being a full mirror.

Not that I expect anyone to do this, but it's fun to think about.