While it's certainly possible to rewrite git history, it's tricky to do it without other maintainers or contributors noticing, since anyone trying to pull into an existing local repo (rather than cloning fresh) would be hit with an unexpected non-fast-forward merge.
It seems likely to me that Lasse Collin would have one or more long-standing local working copies.
So IMHO injecting malicious changes back in time in the git history seems unlikely to me. But not strictly impossible.
Based on how this has gone (remember xz has effectively been orphaned for years, and the majority of long-standing setups were using the release archives), unless if Lasse has never run any code from Jia (unlikely) I'd consider the entire machine untrusted (keys, etc). Provided the tarballs are still signed from that date, from another immutable source, that's really the only starting point here to rebuilding.
It seems likely to me that Lasse Collin would have one or more long-standing local working copies.
So IMHO injecting malicious changes back in time in the git history seems unlikely to me. But not strictly impossible.