> An evil Debian maintainer would have to make a change that was well enough disguised as something else to evade scrutiny.
The xz utils hack got slurped up into sid before it was discovered by a researcher's performance regression in ssh. IIRC the hacked test file didn't even need to be added to the upstream source tree because Debian was blithely downloading release tarballs from Github. No evil Debian maintainer needed.
It's funny that when speculating about Debian's security you forget an actual state-level attack that got code into sid, but when speculating about Signal's insecurity in another thread you're quite happy to imagine potential state-level attacks.