I don’t think pseudonymous developers can build true reputation and trust, because you can never know if the person behind the pseudonym is the same at all times.
In fact, many “sting operations” I’ve seen rely on government agencies taking over and impersonating pseudonymous admin accounts surreptitiously, for example.
I consider pseudonymous developers and anonymous developers to be the same, and I consider both to be a step below developers who use their real identity to publish their work, in terms of trust/preference.
This isn’t to say everyone should publish things using their real name, there are plenty of reasons not to, but if you don’t then you have to make up for that lower trust in other ways.
Even if the developer’s real identity is public, how can you know that they aren’t under a gag order, or hacked? You can’t be sure either way. At least, pseudonymous developers cannot be forced to comply unless their real identities are exposed;
You can verify someone’s long-term identity on the internet, if they always sign their commits/binaries/messages with the same pgp key. Even if their servers are compromised, effective impersonation isn’t possible unless their private keys are also leaked.
I guess in that sense, what truly matters would be that the software ABC is truly an open-source software, but that it is also audited.
Kind of like when they make a new discovery in a health clinical trial, it’s only truly accepted when it’s reproduced by others, peer-reviewed with a randomized placebo control.
To me, it should be the same with privacy software (without the placebo control :P). That way, that it’s either published by a credible source or random pseudonym doesn’t matter. I feel like this is lacking in the community mostly because it’s resource intensive.
There should be a website that catalogs all the audits made. Which software have passed an audit and which haven’t.