We can all learn from this...
After such a high profile site is compromised it serves as a good point in time to review all your systems to be sure you haven't made the same mistake...
1. Always use SSH password/passphrases on keys...
2. Make them complex and long.
3. Never allow inbound SSH to systems that can publish to the greater world, from the greater world.
4. Always check the checksums, but --not against-- the site you got the file from.... Software companies need to start publishing and signing the checksums separate from the website.
Chester Wisniewski
www.sophos.com