@cwebber @lxoliva Certainly we need to trust it as well. But if you're installing software on your system, there are generally other, more effective ways to compromise the user than resorting to side-channels.
But ensuring your software is signed and reproducible also helps to mitigate targeted attacks---if you're running the same software that everyone else is running, then the risk is very high for someone to do something malicious and tarnish their reputation.
Many users just `curl foo | sudo sh` the latest hot thing as they're instructed.