Couldn't you pay pretty much any random official in a corrupt country to produce a death certificate in any name you want? Maybe it's a bigger bribe than normal, but it seems like it would be routine
So this is where I'd highlight the benefits that an actual human looked at and responded to my email (a rarity for Google), and hence could use human discretion to decide that what I indicated was indeed accurate, and not randomly from a random corrupt country. I really have to emphasize: Any security process that actually works has humans in the loop! (Security doesn't scale.)
The other thing of course, is that the domain was expiring. So similar to PyPI just accepting in the parent article that an expired domain isn't trustworthy, Google could verify shortly thereafter whether or not the domain was renewed by the developer in question.
And ultimately, you're suggesting paying off an official to pretend someone is dead, so you can block package updates to a domain, which doesn't really introduce a security issue, and of course, is trivially reversible when the person in question is, in fact, still alive. As Tony Stark would say, "Not a good plan".
I don't think you've ever dealt with the likes of US credit bureaus if you think getting something like a death announcement is "trivially reversible".
I forever am and forever will be a civil engineer somewhere in upstate New York thanks to them. Nevermind I was still in high school at the time and don't even have a shred of engineering qualifications. Whoever you are, thanks for the borrowed ladder my friend.
I give Google a lot of well-deserved criticism, but they handled this issue pretty well and quite promptly.