@ikke well, did anyone downstream verify the signatures? I only know of Arch Linux as incorporating upstream release signatures into their build process, and they do so inconsistently. So even if they were signed I don't think that means there are processes to do due diligence
@drewdevault a new maintainer can do one or more innocent releases. Their keys are trusted, and then they can start incorporating malicious changes.