Your points are valid, and I hope b-rad will add them to the download page, but still, it doesn't offer much of a protection.
Of course the I trust you guys, the whole open source model is based on trust to the developers
This is your mistake. You shouldn't trust us! The open source model is built specifically so that you don't have to trust anybody and you can review the code yourself, and trust the code! We won't go rogue and slip backdoors or child porn downloaders in the next firmware, but only the actual code will guarantee it. Of course, trusting the devs gives you time not to review the code
Oh, by the way, the UMSP plugins are not covered by any integrity checks. The development group that handles UMSP is larger than the core developers of WDLXTV so the trust model begins to break there. I'm starting to feel a little paranoid myself, seeing that those plugins have root access to the device, but they are harmless (for now)...