Luckily there's a long thread on bitcoin-dev mailing list about how disastorous the consequences can be if somebody is able to change the git-tree because of this attack scenario, so I'm not the only one who thinks that signing only the commit can make billions of dollars worth of damage. And this doesn't take into account that almost all companies use open source software developed on github, so I believe that any remote possibility of adding a malware to open source software is emergency situation.