> even though you have no reasonable expectation that such commits are likely to contain malicious code and you're actually just butthurt

Other than the tiny bit where that's not true. An institution just demonstrated that they are willing to submit malicious code, and don't feel any need to tell you that they did so (even after the fact). It's perfectly reasonable to ask if they've done this before.