[imron]

> When I see things like this, the first question I have is why?

My default assumption is three letter agencies surreptitiously adding back doors.

[bell-cot]

With how many careless programmers there are, writing massive quantities of security-critical code...why would they bother? (Outside of a maybe a few narrow, high-value contexts.) That's like surreptitiously working to make sure that there are plenty of cat pictures on the web, and that water flows downhill.

[trashtester]

As a default assumption, this may be a bit conspiratorial. Inserting something like this into a git repo is relatively easy to track, and a given "contributor" could not do many such things without being caught. Not saying we should ignore the possibility, though...

But there are plenty of ways for such agencies to gain similar access, including any kind of closed code in BIOSes, drivers, firmware etc. Or by taking control of select infra, and injecting MITM features there (that would remain stealthy, and only activate for very select targets.)

[Izkata]

> Not saying we should ignore the possibility, though...

Two suspected and one confirmed attempt in linux from a post 6 years ago: https://www.reddit.com/r/linux/comments/54in5s/the_nsa_has_t...

Found this while looking for a more recent one I vaguely remember involving a bad implementation of I think /dev/random

[generalizations]

This should be a reasonable position to take. There's means and motivation present. The threat model should be taken seriously.