Re: Checksums anyone?
I'm not sure any amount of checksum / hash wizardry would have helped.
If attackers manage to sneak a malicious file in to your repository and the person on the Transmission team who does the release doesn't notice, then adding steps to the release process where they send a hash to an external website wouldn't help, unless the external website independently verfies that there is nothing bad in the installer.
I guess one of the big AV companies could offer an automated service that signs a particular realease to say "Free of known viruses as at 14:49 7 March 2016". That seems like a big risk for the AV company though, eventually they are bound to sign something which later turns out to be malware.