The package description files are currently updated via 'fink selfupdate' using either CVS or rsync. Both mechanisms send unencrypted traffic that is not protected against tampering. An attacker in a privileged network position (read: man in the middle) can alter package description files while in transit and thereby install malware into your system as you compile and install a package from the malicious description.
A solution would be to use an SSL-protected protocol during 'fink selfupdate', SVN over HTTPS is a possible choice.
Another solution would be to have the package description files signed by their respective maintainer or by the fink team, but that might bring along key management and bootstrapping problems.