[wakeupcall]

I didn't think of "identity" in this sense, but I don't see this as a show-stopper either.

On my current jig developer churn is not high, yet I've only recently met developers hired 6+ months ago. I know first-hand only a handful of the committers I see. Barely know the most common commiters. I generally do watch commits of the trees/projects I'm interested into, but I'm a minority, and such behavior wouldn't catch something similar to the xz situation unless I'm absolutely lucky.

This also ignores the fact that you can just as well corrupt a current employee.

[tonnydourado]

You might not know them, but HR does. No way your employer is sending them money every month without a reasonable degree of certainty that they are who they say they are. Or, at the very least, that they aren't 3 hackers in a trenchcoat.

And corrupting an employee doesn't sound that easy, either. I mean, we do get paid above average.

That still leaves shit third party contractors and compromising employees computers/accounts, though.