I think crev is actually explicitly trying to establish trust for the code, not the programmer.

> It protects against compromised dev accounts, intentional malicious code, typesquating, compromised package registries, or just plain poor quality.