These are just excuses. Anyone who wants (and can) introduce vulnerabilities, will do so from wherever as yet another "Jia Tan". You'll have to introduce strict identity checking (like passport verification) and require signed commits, and then you'll lose half of your committers. I've seen several people on LKML who belong to minorities and obviously hide their real identity for fear of discrimination — we'll lose them too.
(I like how some people have zero facts about the xz vuln, but somehow "know" who is responsible for it. Those who actually know their stuff and try to control for their biases are not so sure.)
Biting the hand that feeds IT
