So if I control my pypi account and I control other places on the web where I...
So if I control my pypi account and I control other places on the web where I can publish a back link, then a backlink checker could get a pretty strong signal that the same person is on both ends. If the other page is an identity signal e.g. https://keybase.io/matthewmartin
then I guess that is the best I could do without the keybase.io or pypi.org cooperating with each other.
Self-replies
I imagine some people have accidentally done this, i.e. published a personal domain in their pypi metadata or source code and that the other page has a backlink to pypi.
Backlinks to/from pastebin would be meaningless, only backlinks for certain domains would be meaningful.
Social validation doesn't have to be airtight, it has to be better than what people do now.
(Yeah, yeah, I know, we can dismiss the problem by saying f*k 'em if they don't read the code of every package they install they deserve to lose their AWS keys)
keybase isn't a good example, but mastodon is. If I control my account, I can post and I can post, hey I control this too: https://pypi.org/project/xkcd-random-four/0.1.1/ as visible by the backlink