We would notice within hours if they did that. You see, the SHA-1 hashes of all official releases are PGP signed by a trusted developer, and people DO check them every now and then. It'd be great if we had a bot check them, though.
Yes, I understand that. I also know that people like Dan Kaminsky review the source code or at least did it once and said it was a ugly like hell but very well thought-off and bug-free.
But I also remember
this and
this