[aborsy]

Couldn’t the submission to the Debian be possible only under real identities so that people take responsibility for what they submit?

A random person or group nobody has ever seen or knows submitted a backdoor.

[0rdinal]

1. How could Debian effectively verify an identity?

2. Some people may want to remain pseudonymous for legitimate reasons.

[aborsy]

It’s not straightforward.

The developers (at least important ones) could register with Debian project, just like they would with a company: submit identity and government documents, proof of physical address, bank account, credit card information, IdP account, .. It would operate like an organization.

The lead developers could meet and know each other through regular meetings. Kind of web of trust with in person verification. There are already online meetings in some projects.