[nupark]

People rarely look at diffs closely enough to detect intentionally obscured malicious additions.

Unintentionally malicious additions slip through all the time: they're called bugs.

[rll]

Ah, but we actually do. Especially when a commit comes from someone new or someone who doesn't normally commit to that part of the code. In order to sneak a malicious commit through, you would need to hijack the account of a user that normally commits to the part of the code you want to modify. On top of that, you probably want to find someone who has recently become less active since otherwise they would see a commit with their name on it and catch it right away. And finally, you would need to make it non-obvious so someone wouldn't be able to tell anything was amiss with a casual glance. It would be an interesting experiment.

[nupark]

I think you're overestimating your ability to note a small security bug in a diff.

If it was as easy as you seem to think, we probably wouldn't introduce such bugs by accident in the first place.

It can be as innocuous looking as using strncpy instead of strlcpy.