D**n, not a good week for open source software between this and the Source Forge/Gimp debacle. At least these are problems with infrastructure, not concept.
It's not just Gimp The Nmap developer was complaining yesterday. And many other projects are apparently being served with sides of malware
Man this is unfortunate. I wish software and code providers would be required to & consistently use PGP/GPG to sign the stuff they put up for grabs! As a code user that is trying really hard to remain secure; I always feel confident when I "down" a file/code authenticated by a 4K PGP key which I have verified. At that point a bad actor or MITM idiot becomes moot.