@neauoire Wait, what?

> Protecting {...} consumers of the open source ecosystem, including large enterprises, from these types of attacks is the first and most critical step toward securing the supply chain.

That's the whole point of signing commits and tags in the first place. If you have a proper GPG setup, it doesn't matter if you use a complex 2FA auth system, a simple FTP server with a suitecase password, or just swap stuff on some open mailing list like kernel devs.