I get that there are drawbacks to not using rsync but there are always trade-offs to be made when securing something. At this point I strongly believe that there is no excuse to defaulting to installing from unvalidated sources. Fixing this requires gnupg in stage3 and changes to the installation handbook. Added benefit of any user inconvenience could be that fixing things for real (http://wiki.gentoo.org/wiki/GLEP:58 and moving to git) would get some visibility and therefore more helping hands. Reproducible: Always
This is not a matter for the Security team (that deals with vulnerability handling and tracking of application in the Gentoo tree). You might be interested in the Gentoo Keys project[0] that works in bringing OpenPGP signatures into the handling of commits and further packages. The first release of gkeys was made just recently. References: [0] https://wiki.gentoo.org/wiki/Project:Gentoo-keys
We don't need a bug for tracking this.