Most distributions (ie the archlinux one you linked to) digitally sign their packages with private keys, so the people who compromised kernel.org wouldn't be able to tamper with them without causing verification failures by the package management system.
One huge problem could be downloadable ISOs for live images or installer DVDs. Since you are booting up your system with them, there would be no reliable automatic signature verification.
I downloaded a Centos-6 ISO from the kernel.org mirror just the other day, and broke out in a cold sweat when I saw this story. However, Centos and just about everyone else publishes checksums of their ISOs. I compared my download against the checksum, and, to my relief, it matched.
It would be wise if everyone compared checksums immediately after downloading something like this. Alternately, you can use a protocol like BitTorrent for the download, which compares checksums automatically.
"Don't try to outweird me, three-eyes. I get stranger things than you free with my breakfast cereal." - Zaphod Beeblebrox in "Hithiker's Guide to the Galaxy"