The developer who found the vulnerability requested developers to sign their revisions with the GPG key to ensure all their revisions on the project can be verified.