ACM: Reflections on trusting trust.
To what extent should one trust a statement that a program is free of Trojan horses? Perhaps it is more important to trust the people who wrote the software.
— Ken Thompson
backdoor in upstream xz/liblzma leading to ssh server compromise
Timeline of the xz open source attack
Scary SSH backdoor malware in Linux supply chain: How to find and fix it!