@space Yes, the problem is distros that continue using the "random third party mirror" model to distribute their installers/ISOs. Even if they consistently use HTTPS, it's much easier to compromise a random mirror since they are run by many third parties. Of course when they do this they invariably offer at least a SHA hash of the iso or something on the primary website, but most people don't check that.
Random third party mirrors are fine for automated install systems that verify signatures without user interaction (e.g. package repositories), but I consider it an antipattern in this day and age for direct user distribution because the vast majority of users that don't verify anything will be exposed to the attack surface of countless third parties. For Asahi we use a commercial CDN, so there is a single point of compromise (and if you hack into Bunny.net or Amazon there are probably juicier targets than us).
We could further improve this by making the bootstrap script a trust root that verifies everything else directly, and serving it from an even more tightly controlled server, though we don't do that today (yet).