@mattly I think trying to force authors of software to sign their software or improve their security posture beyond what they want to is a dead end.
Plus, who is to say a developer like you is even still alive to be forced to change? Or that your account was not taken over by a blackhat years ago?
We need to stop trusting authors and start requiring/funding actual signed reviews of the code we effectively copy/paste from randos on the internet.