I was looking at the Flight files and I noticed the packages were signed, but when I modify them Flight doesn't seem to mind. Maybe they pushed a patch to stop checking package signatures? If that is what happened, then they deserve a lot of credit for doing it since it will allow for (some) community development.
UNIMPORTANT EDIT: After looking into it a little further, according to this stack overflow post it seems that using sha1 to hash 2GB of data can take about a 60 seconds. The security catalog says the packages were signed with sha1.
http://stackoverflow...a-1-computehash