> Isn't one of the most striking things about the hacker community the extreme amounts of time and effort that are put into things that are not expected to generate any profit?
You're conflating the hacker-as-in-threat-actor community with the hacker-as-in-Linux-maintainer community.
Sure, generally speaking, people who try to break into computer systems for profit do not have a lot of overlap with people who spends lots of time writing open source software for fun.
But in this case it is not hard to imagine that the XZ-perpetrator came from the second group, right?
Edit: I mean, this wouldn't be that different from when Ken Thompson demonstrated how to do a hidden backdoor in the C compiler?
You're conflating the hacker-as-in-threat-actor community with the hacker-as-in-Linux-maintainer community.