Unfortunately, that doesn't answer their question.

It answers both of their questions. Git lets you see the author and they can audit the code if they like.

IMO that’s not good enough, especially when disabling SIP is involved.

We don’t even have certainty that the human running the account is who they say they are (anyone can make a GitHub account and make it look like a real person).

Not everyone who wants to use a container system understands the underlying code of that container system. If I’m a web developer using Docker Desktop or podman to build my PHP app, I’m not necessarily going to understand the code written in Go when my specialty is PHP.

yes it does. There’s only one contributor for most of it and you can click to see his profile.

With the source code available and the primary contributor clear, what more could anyone want? Certainly it’s a bit much for one to ask for a security audit they themselves won’t do

> With the source code available and the primary contributor clear, what more could anyone want?

Reproducible builds. :)

How hard is it to make a GitHub profile?

If I am a developer using podman/Docker to build my PHP images, am I expected to understand code written in Go?

These are all acceptable risks until someone is asking me to disable SIP.