Well, the impact might not be that big anyway. Only people downloading copies / patches in the timeframe where the server was compromised are at risk. Let's say the average lifetime of a webserver-installation is 6 months, then one days compromise is still less than one percent.
And I expect that the Apaches you get from various distribution repositories have had their source verified by some secure-ish hashing mechanism anyway.
Still a bummer. I'll install IIS on our servers as soon as I find out where they hide the versions that can run on real OS'es.