We should really compare it to Windows here, since that's the target. But if we do compare it to a classic Linux dist like xubuntu as baseline:

Using Qubes would limit the blast radius for a scenario like this. In QubesOS, you would use disposable VMs (with no access to your crypto wallets or other user files) to download and flash an ISO. So even if this malware was targeting Linux, it wouldn't get zit and disappear when you finish flashing and shut down that VM (as long as there isn't an unpatched exploit breaking the VM isolation involved).

Of course, if the ISO is bad then this won't save you from compromise once you boot it. But that's not what happened here.

Yes indeed. Qubes has a good article on verifying distribution images not only with checksums but also with cryptographic signatures that verify the checksum files [1].

[1] https://doc.qubes-os.org/en/latest/project-security/verifyin...

But aren't you still trusting the website for instructions about how to verify the cryptographic signatures?

The idea (outlined in the QubesOS documentation) is to clone the git repo of their website, verify the PGP commit signatures, then render the website yourself. Then you can be reasonably sure the website is legitimate, modulo a DoS attack stopping you from receiving updates to the website code, I suppose.

Getting the correct PGP public key appears to be an exercise left to the reader, but if you are already running e.g. Fedora, you can view the packaged QubesOS distro keys distributed by your current OS, cross-reference that with a second source such as a PGP keyserver, and unless you're being Mossaded upon you're probably good if they match.

It's a standard procedure that could be learned in many other ways.

Check a history on archive.org and validate the checksum wasnt changed to be the potentially malicious iso?

Its not perfect... but its better than nothing.

so.. same a linux mint / xubuntu?