You still have to decide who to trust, but having a collection of many independent parties verifying a package can be a useful signal even if you don't have anyone directly in your trust chain. It makes it a lot harder for rogue releases to go unnoticed.
Trustworthy people wouldn't approve releases automatically... but then, who's trustworthy?
Like Pynchon wrote, paranoia is the garlic of life...