It's not very popular, but I wonder if signing release tarballs with the release manager's private key would go some ways towards alleviating xz-esque woes, at the very least making distros aware that an upstream has changed hands and having to do due diligence to fix their builds
Though key distribution is, as always, the main problem here