I noticed that gentoo, who gets positive coverage in the login; article below for the way they sign packages, was at one point serving up the compromised source, while debian never packaged it, not because signatures or hashes alerted them to irregularities but because certain debian developers had bad feelings about the reliability of the source. That isn't to pick on Gentoo, but it fits very well with the sort of things you sometimes read in openbsd-ports or Bruce Schneier articles about technological measures verses social factors.
http://www.usenix.org/publications/l...dfs/samuel.pdf
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=515130