Did you read the link as I did? The server hosting the packages was compromised. This could have happened to any software, not just open source, and I'm sure it has.
>The same goes for "verified" binaries, packages, etc... apparently that is not always the case.
If proper package signing was in place, like most modern distros support, then this couldn't have happened. The backdoor was not in the main code in SVN or in Git, which specifically protects against this exact problem, but added to unprotected releases dumped on a server.
>What are the possibilities that such code could make its way into some piece of extremely popular public facing software, say Apache?
Git uses a lot of hashes but they're for speed, not for security. If you want security from Git, you must cryptographically sign your commits, which is pretty common in big projects.
>The same goes for "verified" binaries, packages, etc... apparently that is not always the case.
If proper package signing was in place, like most modern distros support, then this couldn't have happened. The backdoor was not in the main code in SVN or in Git, which specifically protects against this exact problem, but added to unprotected releases dumped on a server.
>What are the possibilities that such code could make its way into some piece of extremely popular public facing software, say Apache?
No bad code was added to the code base.