Sometimes you get gems from LinkedIn:
From Chris Wysopal:
https://www.linkedin.com/in/wysopal/
"It would be interesting to run this analysis across all open source committers. I'm keen to understand if we can root out other backdoors by detecting signals like these learned from the XZ backdoor incident."
THIS!