[blattimwind]

> So what can we do to address this?

We use a a web of trust and sign releases using our well-known WoTted keys using GPG. Getting hacked every few years is less painful, though.

(Actually Debian does this to some extent by asking upstreams for signed releases using a designated key, so this can be made to work)

[Latteland]

Thats a good start but what would have prevented the owner of "dujangoo" from siging their package? Nothing.

[toyg]

The key would appear untrusted, though. Which, admittedly, is not much of a defense: most developers would just assume it’s a new key and trust it blindly. Still, it would be an additional data point, and possibly another chance to spot the typo (if the UI repeats it).

[jnbiche]

That's why you check the signature to make sure it's the right one. It's almost always listed on the developer's web site, plus you can often google the signature to see if it's one other people are using as well.