What we really need is a web-of-trust. I've been saying this for years. I know who I trust on GitHub. We even have our public keys there. It's perfectly possible to sign a release with an SSH key, even if GPG would be better.
It won't solve all the issues[0], but it would solve many of these obvious, unskilled attacks and I'm getting kinda sick of the blasé attitude in OSS.
[0] For example, an honest software developer can get local malware that could modify a file just before it is committed and signed.
Yes! And there are some steps in the Ruby community to pull in a web-of-trust as well. It's just frustrating that it didn't happen from the get-go in language after language.
That said, I applaud the Debian folks for putting in the work early. Not just in the web-of-trust, but in many aspects of software security.
It won't solve all the issues[0], but it would solve many of these obvious, unskilled attacks and I'm getting kinda sick of the blasé attitude in OSS.
[0] For example, an honest software developer can get local malware that could modify a file just before it is committed and signed.