From what I've read is not authentication bypass, it's a RCE using certificates to deliver the payload. If a specific signature is found it runs the code that was sent in place of the signing public key. It also means that only someone who has the ability to generate that specific key signature could use the RCE.

There were some other bits that looked like they could have been placed to enable compromising other build systems in the future when they checked for xz support.

That's awesome, I had an iRiver as well. Ended up putting custom firmware on it after a bit as the original firmware was buggy at times and lacked features. The device itself was surprisingly capable and could even play video.

I'n Windows it is not stored in a keyring but instead in the registry. This has basically the same security threat model as a local key file.

The ssh-agent on Linux will do what you want with effectively the same security. The biggest difference being that it doesn't run as a system service but instead runs in userspace which can make it easier to dump memory. There are some other agent services out there with additional security options but they don't change the threat model much.

My memory of the cp command is that attributes such as file times were transferred at the last step. I think this would make rsync safe in most situations where a system crash wasn't involved.

I think I remember running into that as well but for whatever reason I couldn't get accelerated-x working with the opengl libraries I was using for school. Likely the issue was just a lack of understanding on my part as I don't think I had a good grasp of the Linux library loader until well after I graduated.

You may want to try hotter too if you haven't yet. Printing faster can sometimes require a bit of extra heat and too low can cause a different kind of stringing.