build scripts do not verify dowloaded source tarballs
I may be miscalculating the risks but shouldn't all code one downloads at least be checked against a hash sum fetched over https or multiple network connections/exits?
I assume official binaries are not built behind Tor or an insecure wifi - though others may want or need to do that - but Erinn would make an interesting target for ISP intrusion or other scenarios.