How would this help against someone submitting an actual, non-compromised version bump, then adding malware once it's accepted?