Verify the identity of developers

If the developer’s public key is signed by a government agency and linked to their identity document (as apparently can be done in Germany) that is a stronger check than just checking a passport and associating it with a public key uploaded separately.

None of this is completely watertight. But right now it’s kind of embarrassing how easy it is to create a fake identity and use it to contribute or even become maintainer of a project.