[ryanjshaw]

You're very confident that this could have been avoided so can you point out EXACTLY what he should have done differently?

As far as I can tell, the only way to detect the manipulated release would have been to compare the release tarballs with one built by independently to detect the extra build script that had been inserted that injected the backdoor.

Of course, anybody in the world could have done this, including you, and yet... Neither you, nor anybody else, did. The reality here is that the entire supply chain is at fault - source code should be built from the public repo, not from a tarball.

Many very experienced people, and public companies, allowed this to happen. It's not fair to pick on one person.