Point is - you know nothing about cryptograpy, right ?

>if "black hat" can alter the tarball after it's created and official signature is created.

I think you mean, "after [the tarball] is created *but before* the official signature is
created".  I.e., they need to perform some sort of complicated swaparoo on the people doing
the security announcement, and if you can do that, then you don't need a hash collision.
MD5's weaknesses are just completely irrelevant to this use case.

Maybe if we try another way of explaining... when people say MD5 is broken, what that means
(for now) is that I can: take that tarball from the website with hash A, and then use it to
create two new, different tarballs, that have the same hash B.  Critically, A and B will be
different (and I can't pick what B will be ahead of time).  So: there are *three* files here:
1) the original, valid tarball, which has hash A, 2) one of my "evil" "copies", which has hash
B, 3) the other one of my "evil" "copies", which also has hash B.

The result is that if you have a file with hash B, you don't know whether that's file (2) or
(3) above, but if you have a file with hash A, then you can be certain that it is file (1).
The security announcement is there to tell you what hash A is.