[amingilani]

That is such a dick move. There should be a blacklist of people that pull these kinds of stunts. I understand that blacklists aren't Sybil resistant but they're better than nothing. At the very least the scum would have to rebuild their reputation.

[craftyguy]

It's very easy to change identities online. That's why throwaway accounts are a thing... If you start trying to ban based on IP, then you're in the cat/mouse game that IRC folks have been fighting for decades.

[Forge36]

You can solve this though a few user interaction metrics. I'm not active on hacker news thus I don't have privileges (karma) to down vote. A brand new account shouldn't be allowed to make a change such as this, getting enough reputation should require active involvement and code review of changes before they are accepted. Just as my karma can drop, people should lose privileges. That this is sensitive piece having high security requirements means that bar can be even higher requiring years of involvement before unverified commits can occur.

[Forge36]

Why not a whitelist of users who can make changes to code flagged as security sensitive (or more specifically: security-authentication)?

Edit: digging through Reddit comments more suggests the repo owner may have been hacked as commit blame shows his user made the changes. In this case: a Blacklist wouldn't help and my suggestion may already be in place.

[jwilk]

It doesn't matter if it's "security sensitive" or not. Any compromised package can steal your secrets.