You're kidding right
One person can't just go into the code and edit it as they place or dump malicious content
it is reviewed, cleaned, edited by other devs before it is completely published
people dont simply dump compiled exe's into the bitcoin dev project area. they put in lins of code, which get reviewed by the other dev's before its then added into the main code area, and then tested to ensure it does not cause other things to fall apart or become exploitable.
so its not 'theoretically' possible to hide a trojan horse in the main bitcoin-core
From my posting #4
I agree, that new implementations are reviewed over and over by expert coders until they are released, but this is not the relevant part of it.
SSL had a flaw that was indeed exploitable until the core devs were convinced, that they had to change the code and release v 0.9.0.
Before that, the guys either didn't know about the Heartbleed bug or they thought it was not necessary to update. This means, that a code - even after multiple reviews by good programmers - can contain bugs/flaws/exploitable parts, which either still has to be found or - in my example - was already found, but kept secret.