Most current thinking on the matter is that the emails were harvested from an email archive server in potential response to a FOI request, and the folder with the HARRY_READ_ME.txt, code, data, and documents, were gathered up from individual computers and aggrigated in that same zip file.
Then someone at CRU put the zip file in a pubically accessable FTP server and someone else found it.
It could have been someone “fishing” around publically accessable FTP servers who found it, not a “whistle blower.”
Point is, CRU should know all of this by now, and have the IP address of the computer(s) that downloaded the file. It will all come out eventually.
IMO the files would have been aggregated together by an internal whistle-blower, carried out on a pendrive and published from a public computer in Norwich shopping centre.