Everybody would be able to see it. It might be hard to figure out, but you couldn't get away with it forever.
For that matter anybody who contributes to Linux could contribute a bad patch. Remember that a bad patch doesn't have to look like it has evil intent, it just looks like the author wasn't being careful with memory and... oops, there is a buffer overflow there.
I'm not aware this is possible. The git commits form some kind of depended hash tree, so you can not "rewrite history" without screwing up that tree.
Meaning: If someone altered the code on GitHub, the current trunks hash would change. Subsequently, if Torvalds tries to push to this repo, he would receive an error.
Of course MS could offer Torvalds one "version" of the git, and everyone else a "tampered version"; keeping the two in perfect sync. But since the kernel git is also located on other sites, this tampering would show up rather sooner than later.
Edit, some small nit-picking: I think this should be prefixed with "Ask HN:" ;)
Is github the master, or a sync from somewhere else? Are the commits GPG signed? Does anyone here know for a fact the build/test pipeline(s) validate on checkout that git has no errors and require human intervention if it does?
Everybody would be able to see it. It might be hard to figure out, but you couldn't get away with it forever.
For that matter anybody who contributes to Linux could contribute a bad patch. Remember that a bad patch doesn't have to look like it has evil intent, it just looks like the author wasn't being careful with memory and... oops, there is a buffer overflow there.