[cassianoleal]

That may be so, but it's usually been through code reviews, pull requests and whatnot - which means a maintainer somewhere has approved that code.

In any case, "a random nickname on the Internet, using a computer somewhere in the globe" is a lot more information than none.

Finding out that that's the case for a given project is part of traceability.

[pjmlp]

How do ensure it wasn't a malicious maintainer?

That information is meaningless if traces back to an empty room.

[cassianoleal]

If the project has a malicious maintainer, it's easier to find out if it's in the open - and either forcing change or not using the project at all. It's impossible to do that when you have no access to that information in the first place.

It's not perfect but it's something vs nothing. I'll take something every time.

[pjmlp]

How do you track down a malicious maintainer, introducing a back door slowly during one year long, a little change at a time, given how long CVEs in OpenSSL have been unnoticed as example?