There is a big difference between handing over source code and pushing signed patches to a device. A key principle in modern Cryptography is that if your algorithm has to stay secret in order to remain secure then it is inherently insecure. The same could be said of source code. Handing over the source code to China should not effect the security of the platform, otherwise it is inherently insecure. Handing over signing keys however is completely different.
