Security

[AOS55]

• Verify and sign commits with GPG or SSH keys. This ensures commits are from trusted sources, and prevents potential attacks through spoofed identity.
• List Jordan Terry and Mark Towers as owners on PyPI, to make sure that we don't lose control of a package in the case that a primary maintainer becomes unavailable due to unexpected circumstances.
• Have maintainers with GitHub or PyPI permissions use TOTP based 2FA or better (and secure passwords, emails addresses, etc.), to reduce the likelihood of supply chain security attacks involving any of our projects.