You are right. With alpha 1 there is a risk of a MitM attack causing apps to download something they shouldn't. However, the framework is already in place to mitigate that - I just haven't had time to implement it fully.
All library ZIP files are signed on the server side with the LiveLibs private key, and the signature is checked by the SDK upon download. Starting with alpha 2, hints will also be signed, which will ensure that erroneous updates are never downloaded.
Also, you don't have to trust the LiveLibs.com site to do the updating. The SDK lets you specify alternate URLs for hints and for libraries.
Phones: Nokia 6800 ► Typhoon (SMT5600) ► Hermes (TyTN) ► Raphael (Fuze) ► Samsung Focus Flash
+ Lumia 710
Tablets: B&N NOOKcolor
Want to ping or do DNS and WHOIS lookups on WP7? Get my Network Suite app! Want to have self-updating code in your own WP7 apps? Check out LiveLibs.
"Ну, чумадан, погоди!"