where is there any law that says you can't put any code you want into open source that is completely visible, auditable , and reviewable by everyone who uses it?
The CFAA is quite broad. I wouldn't be surprised if it's broad enough to allow for prosecution in this case. If you interpret the CFAA as narrowly as possible then you might only be able to prosecute when the backdoor is exercised, but at the very least that you could. And then there's the world outside the U.S., where the laws might be broader.
Why would it matter that the thing being sabotaged is "completely visible, auditable , and reviewable"? Do you have any specific laws in mind that you think would not apply?
If you were referring to the malicious code being contributed, not to the open source project as a whole, I don't think "completely visible" is an accurate description of the deliberately obfuscated chain of m4 gobbledygook and binary blobs that makes up the backdoor.
not challenging you. Genuinely curious.