Looks like some good will come out of the kernel.org intrusion:
WHAT ABOUT FILE UPLOADS?
The "robot signing" of uploaded files that was used in the past is no
longer considered to be sufficiently secure, so a new policy has been
instituted. A new tool ("kup") has been developed to help with the
implementation of that policy; it works in a manner similar to the
upload system used by the Debian project.
The kup tool will require developers to sign files with their PGP key
prior to uploading to kernel.org. This mechanism will keep the private
signing keys from ever being stored on kernel.org (or any other server).
More information will be made available once the file upload capability
Glad to see them tightening this up.