What can be done to protect open source devs from next xz backdoor drama?

A sophisticated hidden backdoor was found in the xz software library that could have allowed remote takeover of machines via SSH. The malicious commit, attributed to a rogue contributor, made it into some bleeding-edge distributions (Debian Unstable, Fedora 40, Fedora Rawhide) but was spotted and thwarted before widespread deployment; the article discusses supply-chain security and the implications for open-source ecosystems.