build scripts do not verify dowloaded source tarballs

I may be miscalculating the risks but shouldn't all code one downloads at least be checked against a hash sum fetched over https or multiple network connections/exits?

I assume official binaries are not built behind Tor or an insecure wifi - though others may want or need to do that - but Erinn would make an interesting target for ISP intrusion or other scenarios.