[eric_bullington]

Even if you do verify the integrity of the package, then you still can't know for absolute certain that the package maintainer hasn't somehow exposed their private key or been otherwise compromised. You have to trust them.

[jarrett]

If the package maintainer has exposed their private key, and yet the package itself in intact, what harm is there (at the moment)? With the key compromised, you could have been MITMed, but you weren't. You could be MITMed in the future, but that's a problem for another day.

[eric_bullington]

I just saw this reply, and I have to clarify: the moment the maintainer's key is compromised, it becomes possible for someone to MITM. It's not clear if that's what you were saying, but that's how it is, and that's absolutely a problem as soon as the key is compromised (particularly if he/she was targeted).