Luckily the source tarball is the more important one to check, because that's the difference between backdooring one distribution and backdooring them all.
It's still not trivial because there might well be legitimate processing steps that are used to create the tarball, but it should be doable.
It's still not trivial because there might well be legitimate processing steps that are used to create the tarball, but it should be doable.