@lrvick I’ve been talking about the issues with email as an identification mechanism for a while now: https://lyonheart.us/mistrusting-email/
also my reply to the piece sheds a bit more context on the gripe: https://hachyderm.io/@mattly/113194493747044259 – the gripe is about being labelled a “supplier”, which is turns it into an “eff you, pay me” situation
@mattly I think trying to force authors of software to sign their software or improve their security posture beyond what they want to is a dead end.
Plus, who is to say a developer like you is even still alive to be forced to change? Or that your account was not taken over by a blackhat years ago?
We need to stop trusting authors and start requiring/funding actual signed reviews of the code we effectively copy/paste from randos on the internet.