Using the original publisher's name in the identifier for a custom build shoud be forbidden unless it is admitted

[SpecterShell]

It's normal for people to make and release custom builds for the projects that didn't provide any pre-built binary or pre-built Windows binary (i.e., only the source code or ELF binaries are provided, which is common in Linux-based projects). However, these customs builds should not use the original author's name in the package identifiers if they haven't been admitted by the author like being listed in the project website or README. Otherwise there might be some security concerns.

This came into my attention when I was handling the package AdrianThurston.Ragel (added in #153218), which is actually the PolarGoose's custom build of Adrian's Ragel, while I couldn't find any places where the author mentioned this build. I'm not suspecting PolarGoose, but moderates should pay attention to such issues.

[Dragon1573]

ℹ Suggestions

Third-party builds should be identified with the "builder" instead of "original author". In the above case, the package identifier should be moved to PolarGoose.Ragel.

[stephengillie]

This appears to be too esoteric to be detected by deterministic automation.