Regarding the #backdoor in #xz-utlis.
I'm by no means a programmer, but I know there is a concept called "reproducible builds". From my understanding, reproducible builds guarantee that the the compiled artifacts are made from a given source, without altering the source code.
I've learned the the source code in the git repository did not contain any backdoors, but the the downloadable tarball did.
Shouldn't be there a mechanism making sure that the tarball matches the source code?