On 2016-01-05 23:48, Mauro Santos wrote:
If the maintainer of a package can't be contacted or doesn't reply then the package can be orphaned, but I don't see the username being handed over just like that, it's just bad practice, even if other things seem to check out.
Although I agree, that the story sounds a little suspicious, I think, we can find a better way than to simply deny the request. One could send an email announcing the possible account transfer to the original email address. If there is no reply within e.g. a month, we can more or less safely assume, that the story is true. Should the decision later proof wrong, that should not be such a big issue, regarding the fact that there is no personal data stored except for the _public_ key and especially since the only package is your own project.