Comment by nathan_long

That was a different issue IMO. I've stopped maintaining open source projects that others rely on, and I owe them nothing. They can fork my code if they like.

And yes, it's users' responsibility to decide what code they trust. But "I trust developer/organization X" is a reasonable way to decide that, and auditing every single release is far, far more expensive. I'd be betraying their trust if I let a complete stranger release an update in my name.