I’ve thought of a related risk that would fall under my purview and I have a possible solution to propose.
I’ve stated that sponsored code I wrote for projects would be available in public GitLab repositories, however that should be further specified. Similar to @dimitar’s escrow/pool a community GitLab account could be created by an entity separate from myself.
The asset provenance would be:
- Community account creates empty repositories named for projects.
- I build with my account and in my forks of the repositories.
- From my account, I open merge requests with produced assets (code, documentation, etc.) in the repositories of the community account.
- Merge requests are accepted by community account, assets are merged, and assets are outside of my control.