A random person on the internet told me that a technology was secure(1), safe to use and didn't contain keyloggers because it is open source. While I can trivially detect the key stroke logger in this open source application, what can developers(2) do to protect themselves against rouge committers to open source projects?

Doing a back of the envelope threat analysis, if I were a rogue developer, I'd fork a branch on git and promote it's download since it would have twitter support (and a secret key stroke logger). If it was an SVN repo, I'd create just create a new project. Even better would be to put the malicious code in the automatic update routines.

(1) I won't mention which because I can only deal with one kind of zealot at a time.

(2) Ordinary users are at the mercy of their virus and malware detection software-- it's absurd to expect grandma to read the source of code of their open source word processor's source code to find the keystroke logger.