There are millions of projects using open source on github. I am clearly saying here that those who trust will use it, those who do not will not use it. I understand the scenarios you mentioned. However, if you already trust a company, you need to trust that that company protects its own accounts and itself. Those who don't trust won't use it, it's that simple and clear. You can review the changes in the entire file on github. In addition, the reason for "specifying the man in the middle attack" is the comments in the post of a friend who thinks he is knowledgeable in terms of security.The raised issue is not related to MITM attacks, possible attack vector is the following, whenever you "blindly" trust a third party and use a given external address/domain on which you have not full control:
1) someone (in perfect good faith) provides a service of some kind
2) you connect to it and get from it something (which is good, useful and what not)
3) everything is fine and works nicely
4) then, one day, either:
4.a) the good guys setting up the service loose control of the site (for *whatever* reasons)
or
4.b) the contents of the site/service are replaced with malicious ones without the good guys noticing it (at all or in a timely manner)
Something hosted on github may be more safe for both possibilities #4.a and #4.b when compared to a "normal" domain (that can be bought/sold/expire and is likely to have worse access security), but it is not - in principle - failsafe.
And we did not even take into consideration the possibility that someone builds intentionally a perfectly good service/site with the intention - since the beginning - to leverage its popularity for *whatever* nefarious action in 3 or 6 or 12 months time.
Expl: https://list.rtbh.com.tr/mikrotik.rsc - and there are many more such well-intentioned projects.
I won't be able to argue with a he who is so ignorant that a simple well-intentioned post would be interpreted negatively in terms of the security of a service provider.