this is really bad. and i think it is getting to hard to be save. because i don't know how to handle the sources on gitbub. and gitbub could be compromised too.
There have been no notable changes on github in the last months, so it is rather unlikely (I am not saying impossible!). But I agree, it's bad nonetheless.
EDIT:
Did anybody check the GPG sigs? For me they give a valid signature from an unknown key ID: 7809386C.After learning the gpg 1-2-3 for dummies, I could verify the signature as:
gpg: Good signature from "Adrian Gallagher <
thrasher@addictionsoftware.com>"