I'm curious about two points not (to my knowledge) yet covered, probably for the simple reason that there hasn't been enough time for proper forensics:
1. What was the escalation path to root?
2. Completely aside from the git repo contents, were the downloadable *.tar.[gz|bz2] source archives trojaned? Are there any non-site-local mechanisms in place to detect such tampering (other than, of course, the fact that the Linux Kernel Archives OpenPGP key is well known, and some of us bother to check the *.tar.[gz|bz2].sign files?