Because the announcements are GPG signed.
gpg: Signature made Tue May 13 05:03:24 2008 PDT using RSA key ID 02D524BE
gpg: Good signature from "Florian Weimer (HIGH SECURITY KEY) <email@example.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: C8D3 D9CF FA9E 7056 3F32 FA54 BF7B FF04 02D5 24BE
If you don't have the key, you can import it like this:
gpg --keyserver pgpkeys.mit.edu --recv-key <keyid>
Since there is no web of trust between me and the owner of this key there is still no way to
guarantee that it really belongs to Florian Weimer other than checking it against other posts
to the list.