Would it be more secure to publish the checksum of the moodle-packages? I can download the source-code on different mirrors all over the world - a simple checksum on moodle.org may help to prove the files?