New comment by Chocimier on void-packages repository

https://github.com/void-linux/void-packages/pull/28400#issuecomment-771978889

Comment:
> Do you have a reasonable expectation that people are going to be losing their security tokens, not have them securely backed up (e.g. printout in a safe or bank deposit box), and then be unable to be contacted IRL to provide legal evidence of ID connecting an old security token to a new security token?

Yes, rarely.
Contacting IRL is only meaningful when previous contact IRL occured, is not always a case.

> If the Void repos suddenly lost the private key used to sign repodata, what would you do?

Ask everyone to trust new key?

> If a Void team member suddenly lost their github login and showed up the next day with a new account e.g. @Chocimier2 and insisted "yes I am the same person, please believe me and add me to the github org with push rights", what is your ideal proposed mechanism to verify the truthfulness of this statement?

I propose to reject that statement, treat Chocimier2 as stranger and only add to organization once he earn trust as any other stranger: by doing month of meaningful work.

For packages, earning trust to be added to repo same as any other new package, is: to verify new source code against new key, then add to repo.