@chansecodina @hyc @coderanger I see no technical solutions to defend against (1). The only solution to (1) is for users of a project to somehow pay for at least 2 people to be maintainers of the thing.

At the end of the day we are delegating trust to the project maintainers, and that one person delegated control of their system to someone else.