Gentoo has manifest checksums which need to be updated when the recipe is. This is vulnerable to compromise and of course assumes the developer has checked their copy of the upstream tarball hasn't been comprised.
One mitigation would be move from rsync'ing the portage tree (which I believe is still held in CVS) to using a git tree instead. At least this way you can be sure* the metadata hasn't been tampered with between syncs. Of course you still depend on the developer doing due diligence on the first tree.
I'm not sure if the nature of the distribution (being source based) widens or narrows the attack surface.
* YMMV, I don't believe anyone has managed an attack on a git repo yet.