Yeah that's all true, but fixing that is going to do little to address the security issues. A campaign like this would find or create another opportunity. They spent at least a year infiltrating the project.
> Yeah that's all true, but fixing that is going to do little to address the security issues.
I'm not sure this is the case. I'd imagine it would be harder to infiltrate a project which pays its contributors. Yes, there is incentive to stay on as maintainer, provide some modicum of dignity, but also maintainers wages would be traceable back to real bank accounts. Professionalize a project and that project can get serious about security, etc., too.
