And yes, it's users' responsibility to decide what code they trust. But "I trust developer/organization X" is a reasonable way to decide that, and auditing every single release is far, far more expensive. I'd be betraying their trust if I let a complete stranger release an update in my name.