> The constraint that it must "look reasonable to a casual human inspector" doesn't make
The constraint makes sense in the specific context of a php script. Too many times, I have
been bitten by an update to a webapp that broke my customized setup. Therefore, whenever I
install an update for a webapp, I look at the diff. Now, I am not a php expert and I don't
analyze it in detail, so it's quite likely that I will miss a subtle backdoor. However, if I
see 100000 lines of garbage that were introduced just to make the md5 sums coincide, I will
become extremely suspicious. I am sure thousands of other people who perform due diligence
when installing updates will notice the same thing.