> Seems like a statement to reassure users who don't necessarily have any trust in the new maintainer.

The statement didn’t seem reassuring.

It’d have been reassuring to hear something like “This person has been a committer for X period, and has demonstrated Y and Z.”

> They trust the new one.

Well my point is it doesn’t sound like they actually do trust the new maintainer. Maybe just poor choice of words, but it didn’t fill me with confidence.

‘I’ll keep an eye on the project and speak up if I discover my trust was misplaced’ is a kind reassurance to the anxious community, but anxiety will just use it as a launchpad for more anxiety. Nice of them to try, though.

I suspect a lot of folks would be horrified at how typical the former maintainer’s approach to trust is in actual reality. It ends up being necessary because there are maybe a single digit number of people in the world who are willing to commit to long-term project maintenance (beyond their own pet peeves, anyways) at all, and with the general hostility towards compensating anyone for their work in software, it’s not like a maintainer can afford to hire and develop a protégé. This is how maintainership worked in CPAN for decades and, barring a culture shift towards paying project maintainers for their maintenance effort, it’s how it’s going to continue working in most projects as us maintainers grow tired and fade out.

I agree - the statement could've been much more convincing. But it's above the threshold for me.

Although I agree if the new maintainer had some creds, it would've been better to use them in a similar reassurance like in your example. But it's hard to really vouch for someone, even if they've made X commits for the past Y years, etc.. Lots of examples here.

If it's still a random/(pseudo-anonymous) account you're trusting, unless there have been some real life appearances or if it's an account that's been proving itself for years, you can only trust them so much.

Basically I agree the message could be interpreted as "I don't trust them, so I'll be on the lookout for anything malicious", but, honestly, at first I just read it as "I trust it, but you can't really trust anyone, so I'll still be on the lookout".