The solution to the impersonation aspect of this is commit signing. It is literally built into Git. There are no good excuses for project maintainers to not sign commits at this point. Grab a yubikey or other gnupg smartcard and do it. Else someone is going to impersonate you and use your name, reputation, and repos to spread malware like this. Have your git hosting provider refuse unsigned commits (github/gitlab allow this).<p>Secondly stop trusting pip/pypi. You -can- upload gpg package signatures but clients totally ignore them. There is no way to verify the author of a pip package except by hand today.<p>Let me be really clear here. When you install a pip package you are executing arbitrary code from the internet with unknown authorship.<p>Pip is fundamentally broken until signature validation is implemented.
Whenever possible use OS package managers like apt which actually verify authorship and integrity.