The problem here is in our development procedure of most open source software, but I don't think it should be only point to the governmental attacks. Since not only the government can make an attack well funded, we cannot only emphasis such threats are only from government.
It is clear that we cannot assure that every piece of code is clean, without deliberately injected harmful code, such shortcoming is due to our current development procedure, which make the freedom of everybody contributing to there favorite projects. Talking about hash attacks on DVCS maybe really useless on such an issue, as a previous comment has issued, generating a piece of code that still can work isn't a really easy thing with the same hash, and please don't forget there is still code reviews, which makes generating a workable, with security holes injected codes, even harder than only generating something with no other meaning but only have the same hash. Perhaps nobody can tell that any currently widely used hash algorithm (e.g. MD5, SHA1) is so weak that can be successfully cracked in this way easily. As for GPG, it also depends on hash algorithm, so talking about GPG other than hash maybe meaningless.
I am not quite agree with the opinion that it is an alarm that national governmental attacks are just getting started from Google stating about a problem in China. Anyway Google hasn't claim that it is suffering attacks from the local government, but all the thing is the result our guess. But don't we agree that countries in the world with such power, or even some ones that are more powerful in this field, may already cracking their citizens data and monitoring their information? The problem is always a problem before it is fixed or proved not to be one, but making fusses about trifles is not needed at all.