That is an interesting idea about the hash verification of the download, I may spend some time playing around with that. I could probably even do a combination of hash and size verification to make a hash collision harder.
The reason the downloads are truncated to domain is because the URLs tend to be far too long to display in the UI. If you mouse over the domain, you'll see a title attribute with the full URL. This is the same for many elements on the site. Icons, abbreviations and numbers with suffixes all have a title attribute to describe the item in more detail.
If you can't secure it by downloading over SSL, couldn't you add a hash verification to the installation steps?
Having homepage & issues listed as 'github.com' for most repos isn't very helpful-- maybe show more of the URL?
Thanks for all your hard work, Package Control is a joy to use!