The release files are signed but verifying the signatures cannot
catch certain types of attacks:
1. A malicious maintainer could make more than one variant of
a package. One could be for general distribution. Another
with malicious content could be targeted to specific users,
for example, distributing the malicious version on a mirror
controlled by the attacker.
2. If the signing key of an honest maintainer was compromised
without being detected, a similar situation as described
above could occur.
SHA256SUMS could be put on the project website but having it in
the Git repository makes it obvious that old lines aren't modified
when the file is updated.
Hashes of uncompressed files are included too. This way tarballs
can be recompressed and the hashes can still be verified.
Lasse Collin