Own domains is the real deal. My preffered model is tarball releases with checksums, or better yet, with signatures (like remind[0] or msmtp[1]). Such pages are trivial to host properly and loads quickly.
I was confused for a bit what those two projects have to do with signatures but I guess you are just using them as examples of having (PGP) signatures for downloads?
[0]: https://dianne.skoll.ca/projects/remind/
[1]: https://marlam.de/msmtp/download/