It's open source.<p>Everybody would be able to see it. It might be hard to figure out, but you couldn't get away with it forever.<p>For that matter anybody who contributes to Linux could contribute a bad patch. Remember that a bad patch doesn't have to look like it has evil intent, it just looks like the author wasn't being careful with memory and... oops, there is a buffer overflow there.
I'm not aware this is possible. The git commits form some kind of depended hash tree, so you can not "rewrite history" without screwing up that tree.<p>Meaning: If someone altered the code on GitHub, the current trunks hash would change. Subsequently, if Torvalds tries to push to this repo, he would receive an error.<p>Of course MS could offer Torvalds one "version" of the git, and everyone else a "tampered version"; keeping the two in perfect sync. But since the kernel git is also located on other sites, this tampering would show up rather sooner than later.<p>Edit, some small nit-picking: I think this should be prefixed with "Ask HN:" ;)
Is github the master, or a sync from somewhere else? Are the commits GPG signed? Does anyone here know for a fact the build/test pipeline(s) validate on checkout that git has no errors and require human intervention if it does?