The contributed code will be reviewed by Qubes team before accepting or rejecting it
That’s what I actually wanted to hear. Just finished reading closely related thread How can Qubes OS protect itself from Malicious Code Contributions, and already found that “There are very few people with commit rights to Qubes OS”. Actually, that thread is more related to my concerns.
What’s so different in them compared to any other contributor?
It wouldn’t be an issue for me, if, for example, Patrick Schleizer made such contributions.
I really do think that Moscow-based “cyber-security team”, which activity consists only of Qubes-related commitments, deserves a lot of “review thoroughness”.
Maybe I’m too biased, because I spend a lot of time in a bomb-shelter lately. But, personally, I do believe that developer’s location matters. Wouldn’t you be concerned if some previously unknown group of developers from North Korea or Iran started to actively make contributions to Qubes?
As for “Guantanamo” argument and CIA contributors - it is inevitable, I’m sure they can have everything they need. But we could and should resist less capable state actors.