In the past numerous file distribution servers were attacked and the attacker replaced a release tarball/zip with a modificated version including a backdoor. Usually the distributions use some kind of signatures to avoid such an attack against their own infrastructure but this doesn't include the initial retrieval of the source code from upstream (usually done through the tarballs).