> Multiple package managers are trying to move to ssh keys and other stronger forms of verification, as well as trying to outlaw binary tarballs and other such things.

What does binary tarballs have to do with it? Whether the package is in source form or in binary form, a long dependency chain attack is equally likely to succeed.