If they can replace the front page html, they could probably also replace the source code distribution with a backdoored/trojaned tarball. Or someone else might already have done so, since who knows how long ago, using the same exploit.

But would they also be able to replace the public key of the authors in all the other places it appears on the Internet?

That. That's why the authors PGP-sign their sources. Furthermore, some of us maintain GPG trust paths, so replacing it on every other place on the Internet would still be futile.

There is also benefits of using decentralized distribution channels like bittorrent. So a single source can't be compromised.

This shows that website security depends on far more than just deploying over SSL.

Who runs OpenSSL? Is it again volunteer? I think big companies need to step in and help creating infrastructure for these big projects.

Yes, all-volunteer. There are no ongoing commercial sponsors for that project.

As it should be. There was a story in HN a few weeks ago about why open source projects better not run on funding. Something with making it obligatory to work on the project and add features just to do something. And of course the people "donating" have some say in what's going on. I'm not saying backdoors per se, but should we want any sort of pressure this way?

Sounds like there is a need to sponsor OSS writers and not the actual projects. Kind of like having tenure but of course it would have to be voluntary, merit-based, etc.

This seems to be based on the humorous idea that big companies provide better security.

he took the best of us and tore it down. people will lose hope. (yet another batman reference)