They got the stupid version number thing in; if they had thought of a better trap, they could probably have gotten that in instead.
The version number thing, actually, was a compromise. Bidzos wanted complete incompatibility with the existing codebase! So, to please his want of incompatibility, we made the version number change; something that would force people to upgrade to new versions (which people should be doing, anyways!)
The point is, the secret key would not be in the source code. I can't think of a way to use that; you can't; RSA couldn't; but I'm not convinced it's impossible.
If the secret key is not in source code, then where would it be? Any hooks that require the secret key can then be removed from the source code! The point of releasing source is so that people *CANT* put in dain-bramaged back doors like you propose; the point is that having the source code lets anyone see what's been done, and people can actually change their version to ignore it, if they wish! As for the version number hack; maybe some people think of it this way. I don't know, I'm not a mind reader. But from my vantage point, giving that little bit of rope has given us a US-legal PGP! -derek