New comment by eli-schwartz on void-packages repository

https://github.com/void-linux/void-packages/pull/28400#issuecomment-771896892

Comment:
As a developer for a Linux distribution, you'll have to ask yourself how confident you are that that is what ACTUALLY happened, rather than a malicious attacker breaking into e.g. github and hijacking lines of communication.

Your proposed case is a sob story, not a cryptographic proof...

Assuming you do decide to believe that story, and re-bootstrap your Trust On First Use relationship with upstream, the fact that that happened is visible in the git commit history for the package, so that people are aware that yes, something changed.

For the record, people don't generally "just lose" their cryptographic security tokens like that.