No chain of trust?
If you happened to download a fresh .iso, and have no or inadequate connection to the Strong Set, then you have a bootstrap problem.
Anyone else should surely be protected by a chain of trust leading at the very least back to what they originally installed, and supported by signatures within the Strong Set.
Or are you suggesting that (of all things) a techie-oriented Linux distro has no basic security in its distribution? That Gentoo is doing the spooks' bidding by laying itself wide open to the insertion of spyware, government-sanctioned or otherwise?