I thought nct has security concerns.
I belive it was to do with account, so no everyone needed permissions (time consuming), but not all were anonymous.
Adding sigs is not more effort than accepting people for savannah accounts, or is it?
It involves checking that the person is who they say they are. A smart person could make gpg key, pretneding to be Bradley, sppof an email saying they have changed their gpg because it expired, and Nct thinks it real, changes it, then viola. That person has access to the whole repository, and in Bradleys name.
I don't think anyone wants that.
With the other way Nct is going to use, Nct would send an email to bradley or vise versa with a password, and told never to forget it. That way, they cant send updates because they changed their password.