yes you are true about pgp over md5, and following one post above users should be instructed to use it that way, or md5ing from different hosts will raise +1 the security level checked.
But freebsd.org does the same as kernel.org, what happens is that its impossivel to use pgp right now on all ports since its a matter of "vendors" and third party to provide that feature and not freebsd as the OS.
Freebsd does that for in house productions like the SAs, same applied by default by the CVS structure on src and ports tree. If you pay a close attention theres a pgp signature following each SA released and theres an asc file following each patch released
we arent any different..