daniel:// stenberg:// on Nostr: "If the attacker instead can just sneak the code directly into a release archive then ...

"If the attacker instead can just sneak the code directly into a release archive then it won’t appear in git, it won’t get tested and it won’t get easily noticed by team members!"

... like... xz.