The backdoor build script specifically checked for things indicating that it's being built for debian, and if not, not inserting the backdoor; so it only ever was non-reproducible in situations where reproducibility wasn't expected. Not hard to make sure a backdoor with control over the build environment doesn't raise suspicions in non-targeted places.

also wasn't the backdoor reproducible to begin with? If it had targeted every system, you'd just get reproducible backdoored binaries.

The infected version was only the tarball, which was part of the obfuscation (i.e. people may look at git commits, but who individually checks autogenerated code in tarballs of every release)

Building from the git commit the release claimed to be from would result in a different binary than building from the tarball if the environment check passed.