no modifications to the code appear to have been made. Like they said, that would be hard/impossible because it's all signed off by Linus in git, so ever if they compromised the server it gets them nothing. They'd then have to compromise some accounts and submit patches and still get them approved.
This argument is completely bogus. I could just as easily have happened to any one else including Microsoft, and in those cases we might not even have heard about it.
It already has happened repeatedly to some hardware vendors where an actual payload was injected into their drivers, and they weren't open source.
Between open source and git it's dramatically more likely an injected payload would be detected long before dissemination could take place.
This argument is completely bogus. I could just as easily have happened to any one else including Microsoft, and in those cases we might not even have heard about it.
It already has happened repeatedly to some hardware vendors where an actual payload was injected into their drivers, and they weren't open source.
Between open source and git it's dramatically more likely an injected payload would be detected long before dissemination could take place.