sometimes i like that a lot of my work is typical enterprise stuff. nothing gets to prod without some poor soul working through a huge test catalogue on a seperate environment and/or a higher up signs off on it.
it's also annoying because, you cant "just ship" a small fix or change without someone signing off on it.
check your contract, you might not own the code and your organization may have a process to determine how to license something.
to your other questions (IANAL)
prior work wont be licensed, meaning no one but the owner of the work is allowed to do anything with versions prior to the license
you don't have to, but i can't see a reason why you should not.
GPL might mean that other work depending on gpl licensed code has to be licensed in a gpl compatible way, depending on how exactly you depend on it and how you distribute your dependencies. MIT/BSD is easier here, if you don't plan to license everything with the GPL anyway.
no, the solution is not to pay someone to have someone to blame if shit happens.
there are a bus load of people involved on the way from a git repo to actuall stuff running on a machine and everyone in that chain is responsible to have an eye on what stuff they are
building/packaging/installing/running and if something seems off, it's their responsibility to investigate and communicate with each other.
attacks like this will not be solved by paying someone to read source code, because the code in the repo might not be what is going to run on a machine or might look absolutely fine in a vacuum or will be altered by some other part in the chain. and even if you have dedicated code readers, you cant be sure that they are not compromised or that their findings will reach the people running/packaging/depending on the software.
i can't see how paying someone would have changed anything in this scenario.
this seems to be a long running campaign to get someone into a position where they could introduce malicious code. the only thing different would have been that the bad actor would have been paid by someone.
this is not to say, that people working on foss should not be paid. if anything we need more people actively reviewing code and release artifacts even if they are not a contributor or maintainer of a piece of software.
And no, I have not tested it because I don't know how I'm actually supposed to do that.
depends on what you backup and how.
if it's just "dumb" files (videos, music pictures etc.), just retrieve them from your backups and check if you can open the files.
complex stuff? probably try to rebuild the complex stuff from a backup and check if it works as expected and is in the state you expect it to be in. how to do that really depends on the complex stuff.
i'd guess for most people it's enough to make sure to backup dumb files and configurations, so they can rebuild their stuff rather than being able to restore a complex system in exactly the same state it was in before bad things happened.
technicaly correct, and i am no lawyer, but i can't see how in the world i owe anyone a warranty that loads code on their machines, compiles it and uses it, all without any input by me.
everything that i intend to be more than throw away code, that lives for whatever reason in a public repo gets either an MIT or an gplv3 license.
Had issues like that from time to time, when graphics drivers got borked during the update/did not exist for the new kernel.
solution was allways to either remove the drivers and reinstall them or rollback to an earlier snapshot and wait a week.