Wouldn't it be helpful if the <a> tag could include a hash/signature (I'll refrain from suggesting which one), that the browser could use to verify the download automatically? Whilst that wouldn't plug the hole completely (the attacker may be able to compromise both the web site and the tarball), from the reading of this article it would have meant all downloaders would have been alerted to the compromise.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds