thinking about the #xz backdoor.

it might have been the maintainer, a long term plan to backdoor after training trust.

it might have been someone else getting access to the maintainer's credentials.

it was discovered almost by accident, because xz's used in many places.

investigations found the backdoor in the code.

would we have discovered this in something closed source? maybe the performance degradation, but we wouldn't have seen the code then...