The problem with this argument against, is that it reinforces the point it is arguing against: If a contributor cannot afford the $20/year to publish for a single 12-month period, then they are already a risk - someone could buy their account off them.

A small bar of $20/year is also enough to completely cut-down on contributors who sign up with the intention of publishing malicious packages: they have to pay $20/year for each malicious package they want to publish!

▲

com2kid a month ago | parent [-]

Why should someone need a credit card to contribute to open source? Why should they need to understand DNS?

Heck domain names are ephemeral, forget a deadline by a day and they are snatched up my squatters. They don't provide any extra guarantees. Do we really think a domain requirement is going to stop state level actors that are already stealing 2FA package publishing tokens from major software orgs?

▲

lelanthran a month ago | parent [-]

> Do we really think a domain requirement is going to stop state level actors that are already stealing 2FA package publishing tokens from major software orgs?

Is that your target? Because if so, then nothing will stop them.

	▲	com2kid a month ago \| parent [-]
		The most recent attacks have been incredibly sophisticated, executed against orgs that have taken all the right steps. Requiring domain name verification is not going to do anything when 2FA tokens are being stolen. What it will do is prevent students and people who want to stay anonymous from contributing to open source.