[CaptainOfCoit]

> Is that common to only communicate only through email/github?

Absolutely. I've both taken over libraries as a maintainer and given away the responsibility of maintaining a library after only communicating via text, and having no idea who the "real" person is.

> I guess some maintainers of open source projects will be more cautious after this story.

Which is completely the wrong takeaway. It's not the maintainer who is responsible for what people end up pulling into their project, it's up to the people who work on the project. Either you trust the maintainer, or you don't, and when you start to depend on a library, you're implicitly signing up for updating yourself on who you are trusting. For better or worse.

[account42]

Trusting the maintainer als means trusting that they won't hand over the project to someone untrustworthy. It is the maintainers responsibility to honor that trust if they want their software to be used in the first place.