I wonder if this is social engineering along the same vein as the xz takeover? I see a few structural similarities:
- A lot of pressure being put on a maintainer for reasons that are not particularly obvious what they are all about to an external observer.
- Anonymous source other than calling themselves KA - so that it can't be linked to them as a past contributor / it is not possible to find people who actually know the instigator. In the xz case, a whole lot of anonymous personas showed up to put the maintainer under pressure.
- A major plank of this seems to be attacking a maintainer for "Avoiding giving away authority". In the xz attack, the attacker sought to get more access and created astroturfed pressure to achieve that ends.
- It is on a specially allocated domain with full WHOIS privacy, hosted on GitHub on an org with hidden project owners.
My advice to those attacked here is to keep up the good work on Nix and NixOS, and don't give in to what could be social engineering trying to manipulate you into acting against the community's interests.