The bootrom is only needed to make the finishing touches on the
bruteforcer.
Myriachan and SciresM are the only ones who need the bootrom for this task -- mass distribution of the bootrom is not necessary for sighax installation. The bruteforcing, presumably a community effort, will produce a 256 byte perfect signature which is what will actually be used to implement
sighax on people's consoles.
However, bootrom is still needed for it's keys, namely for arm11/PC side decryption tools. I assume that's what hedge means when talking about public distribution of a dumper tool, but I honestly think boot9 will leak before then.