It's not about the source but the private keys. See my other comment here. The same problem is real with the Linux distribution and the owners of the distributions too. Nobody reads the source of everything that is changed with every signed update.

That's why there's signing in the first place.