Below is my brief reply to Dan McGee. I posted this on his blog but given the Arch way of doing things, he'll probably just delete it. I notice Arch devs are now attacking LWN and trying to get them to delete their story. What's with these guys? This has been their approach to this issue for years - silence it. I still see no indication that their users' security is of any importance to them. Just ego.
LWN should be applauded for taking the heat for bringing this issue forward with integrity, and not buying the spent Arch dev arguments that no one has been willing to contribute. That is false - I have also heard privately from many devs who told me they also tried to get things done and hit the same brick wall. And I have been thanked by many Arch users for making them aware of this issue. LWN has their priorities right - they are informing their readers of a serious security problem. Silence and censorship is not the solution. Don't shoot the messenger.
As for package signing being 'almost done' - we'll see. They said this in 2008.