yes but there is still the private signing key that allows for trusted uploads of new (possibly compromised) versions.
True, but it's still an open-source project. Uploading backdoored binaries would be easy enough, but compromising the code would be a lot more complicated.
I'm sure the NSA is very good at writing obfuscated code, but there are other factors in place. The TC code audit started a few month ago, and there hasn't been an update to TC in 2 years. Any new updates to TC are going to be reviewed *very* carefully - sudden updates to a 2-year-stable project right after the beginning of a code audit looks very suspicious.
I use TrueCrypt. I realize that there are other options out there, but TrueCrypt has a few advantages - namely that it allows hidden volumes and it's cross-platform, free-as-in-beer, and open-source, (even if not technically FOSS). So now what? TrueCrypt won't go away. I can save a copy of the installer for the 2012 release, and, more importantly, there are copies of the code out there - particularly in the hands of the code audit team.
If we assume that the TC dev got an NSL, it would potentially explain the announcement. The dev decided to burn the crop and salt the field rather than let it be co-opted by the NSA. And, based on what happened with LavaBit, the NSA must have anticipated at least the possibility of this response. If anything, it was probably more likely. LavaBit was a commercial operation - they had a financial incentive to go along, keep their mouth shut, and keep the business going. Instead, they decided to do the right thing and shut down.
So assuming the NSA sent a National Security Letter to the TC dev, why, and why now? NSLs have been around for years. It seems odd that the NSA would wait until now to try to force in a backdoor, particularly with the likelihood that attempting to do so would result in the "burn and salt" response. If the NSA felt it was worth forcing TC into a go-along or shut down choice, they would have done it years ago.
One possibility is that TrueCrypt has an exploit that is currently know by the NSA, but not known by TC devs. Once the code audit started, the NSA was concerned they would lose their backdoor, and issued National Security Letters to the audit team requiring they don't expose the flaw, and to the dev team requiring they don't fix it. At this point, this seems like it might be the most likely option, assuming we aren't looking at a site defacement. Hopefully we'll get some clarification soon.