The alternative is this, you get a nifty certificate from Sigstore that allows you to be sure that "somerando@outlook.com" has indeed authored the lib you depend on. How do you check if that's what you want? How much security do you get from knowing that the email is definitely correct for a person you know nothing about?