> Any corruption of the git repository on kernel.org would cause checksum mismatches and, thus, would be immediately noticed by Linus and others.
It could show up, not as a checksum mismatch, but as a "forced update". I noticed the system upgrade problem mentioned above as a "forced update" from e99d11d to 4193d91 (something like "e99d11d...4193d91 (forced update)"), and spent some time making sure that it was just "going backwards in time" and not something more obviously malicious.
There is another security barrier not mentioned above: most users do not build kernels directly from the kernel.org git repository (I would in fact guess most people get their kernels already compiled from the Ubuntu repositories), and even the ones that do will not build a new kernel all the time (they will build for instance one or two kernels per day at most). The exception being the kernel developers, which are also the ones who can notice odd things more quickly. This gives time for a malicious commit to be found before it spreads too much.