[treffer]

The actual inclusion code was never in the repo. The blobs were hidden as lzma test files.

So you review would need to guess from 2 new test files that those are, decompressed, a backdoor and could be injected which was never in the git history.

This was explicitly build to evade such reviews.

[pmarreck]

> The blobs were hidden as lzma test files.

OK, that is absolutely devious.

[xghryro]

I suppose you think the maintainers shouldn’t have scrutinized those files? Please tell me it’s a joke.

[ab5tract]

The person who added the malicious blobs and signed the compromized archives was literally a maintainer of the project.

[account42]

Ok, go ahead and scrutinize those files without looking at the injection code that was never in the repo? Can you find anything malicious? Probably not - it looks like random garbage which is what it was claimed to be.