Wouldn't it be helpful if the <a> tag could include a hash/signature (I'll refrain from
suggesting which one), that the browser could use to verify the download automatically?
Whilst that wouldn't plug the hole completely (the attacker may be able to compromise both the
web site and the tarball), from the reading of this article it would have meant all
downloaders would have been alerted to the compromise.