At a naive level, this sounds like the sort of supply chain attack we've all been taught to fear. Asking seriously: has this build been replicated? is the source different from mainline? if so, what changed and who changed it?
That’s also how free software distros work, and have always worked, in general: their job is[1] to prioritize the interests of the users as they see them over the vision of the developers, so that the users can choose the distro that reflects their interests most and still be able to use the software.
