KOLANICH
commented
3 years ago what problem you believe would be solved if we implemented the actions implied by your headline
No problem can be solved by them alone. Now NSA or ISP can just insert malware (a felony, TBH, but not for NSA, which can violate any law it wants, there is noone to prosecute them (and put the employees involved into it into prisons) for that) into tarball downloads. In a scenario you just setup TLS, they cannot just insert malware. But they can issue a rogue cert from a rogue CA, and then insert malware. OK, let's assumme the user have distrusted all the rogue CAs. Well, NSA can either compromise a non-rogue CA, or just your server. It may be more profitable to compromise a non-rogue CA, but let's assumme that the CA has good security and they cannot compromise it. Then they can try to compromise your hoster and your VPS (if you use it). OK, let's assumme your hoster and your VPS run secure software with no vulnrs and formally verified. Then NSA can blackmail a hoster (either with a legal document prescribing the hoster to help them and prosecuting its employees otherwise, if the hoster is in the US, or by a threat to block access from the US to all the websites hosted on the hosting) and get unauthorized access with hoster cooperation. Then if the binaries are signed and they haven't compromise the signature, they will fail for the users already having your public key. Of course they can go further. They can get unauthorized access to your computer and get your private key. Or they can try to send a backdoored patch in hope you will not notice. Or they can send goons to visit you personally. The main idea of the narrative that there is no silver bullet guaranteeing security.
Would you mind arguing what problem you believe would be solved if we implemented the actions implied by your headline?
If you are asking us to do work, the least you can do is document the putative bug.