Re: No chain of trust?
Where you download from should have very little bearing on security. A cryptographic chain of trust works just as well with something off the back of a lorry as with the most trusted origin.
I wouldn't rely on a "gentoo.org" address for my security: that would open me to any number of attack vectors. Verifiable PGP signatures of verifiable gentoo personnel work altogether better.