With Linux distributions it's entirely possible to meet [ed: developers] at conventions and build a path of trust quite directly to the signing keys. I'd argue it's generally more secure than "random CA said this domain name belongs to Red Hat". It might even be more secure than this particular CA that I believe Red Hat have previously used, said this new TLS key belong to Red Hat.
While all this is true, I find it hard to beleive that anyone prefers to dodge the dark patterns, forged images with embedded malware, and adverts of The Pirate Bay rather than direct from the distro web site.