Isn't the fake repo event issue similar to spoofing NIP05 for domains you don't own?
Sure, anyone can pretend to have elon@x.com nip05, but there is an easy way to verify it.
Sure WoT all things, but clients should also be able to easily verify that the repo holds the maintainers.yml ?