[geenat]

GitHub has a lot to lose if it was leaked that they were knowingly facilitating backdoors behind the scenes- many pay for the convenience and trust.

By the same standard, what are the repercussions for these random fly by night accounts? Just make a new account and try again on an existing project or fork / tweak / rebrand another project.

Steam, VSCode, PyPI, NPM... it would ruin those platforms overnight if they were putting in backdoors themselves.

[lionkor]

Reputational loss isn't a good argument either, because what the comment I replied to said is that repositories in control of people in e.g. Russia are dangerous. That implies that a Russian or Chinese maintainer of popular open source software is not safe, whereas someone employed by an American company is.

However, maintainers have a reputational loss risk, just like someone working at a company does, no?

And, of course, GitHub could just replace the file you're served when you download a file from it, and then blame a hacker, a rogue employee, or deny it happened. That is just as well technically possible as any other entity being forced, by their government, to do something, no?

And, of course, if a govt forces you, your reputation is not the thing you're worried about.

I understand your argument, but that seems like it's a different argument from the one I was disagreeing with.