I wonder if this will be a "Reflections on Trusting Trust" situation; it's easy to spot malicious code in source control, but if your build machine was compromised to insert malicious code at compile time that would be easy to overlook.