To be more certain that the code I'm about to run was written by the people I trust (by repute) to write non-malicious code.
These guys have built up quite a good reputation, and many people trust them to write useful, non-malicious code. If they did start shipping something iffy, they'd (ideally) quickly lose all of that good reputation, but not before doing quite a lot of harm as people updated. GPG doesn't protect against the authors going rogue, but against someone else maliciously trying to take advantage of this software's good reputation. SSL protects me against a straightforward MITM, but doesn't assert that the server is still under full control of the author and doesn't protect mirrors.
These guys have built up quite a good reputation, and many people trust them to write useful, non-malicious code. If they did start shipping something iffy, they'd (ideally) quickly lose all of that good reputation, but not before doing quite a lot of harm as people updated. GPG doesn't protect against the authors going rogue, but against someone else maliciously trying to take advantage of this software's good reputation. SSL protects me against a straightforward MITM, but doesn't assert that the server is still under full control of the author and doesn't protect mirrors.