Right, because that never goes wrong.[0,1]
[0]: https://news.ycombinator.com/item?id=42351722
[1]: https://tukaani.org/xz-backdoor/
The xz example does not support your case. Not only was every downstream build infected until it was discovered, it also needed a distro-specific modification (to openssh in Debian and Fedora, IIRC) to work at all.
alt Hacker News
The xz example does not support your case. Not only was every downstream build infected until it was discovered, it also needed a distro-specific modification (to openssh in Debian and Fedora, IIRC) to work at all.