[johnklos]

Except that doesn't match reality.

Someone has worked on xz for several years. Are you saying that this somewhat active contributor was likely actively contributing, then all of a sudden stopped, also stopped paying attention, and also allowed their account to be compromised or otherwise handed it over to a nefarious party?

That fails the sniff test.

[c_rrodriguez]

See, people drop dead from OSS projects pretty frecuently, usually because they take on other life responsabilities and there is no cushion or guard against a bus factor. Then it is very easy to get credentials compromised or have your project took over by someone else.