if we assume that committers to these projects are government employees or contractors (possibly with access to juicy systems or info), it'd be interesting to use this commit data as well as a 1 hop followers/following graph of authors to build a dataset that may shed light into communities of gov't contractors that could then be spear phished/targeted in other manners by say other intel agencies. i wonder if this is being done currently.
Contractors are not secret, nor are employees. You can go to LinkedIn and easily look up people who work for NSA, or Booz Allen Hamilton, and learn a great deal of who does what (again, not a secret). Counterintelligence measures are employed elsewhere.
part of spear phishing is building up credibility, so it's a value add to have this information in addition to whatever other OSINT is out there. if you're committing in tandem with another user that's a huge opportunity to impersonate and phish, vis-a-vis "your buddy at Lockheed".
I used to work at an aerospace company that did a lot of spook projects. Many of the company's senior management were on LinkedIn but all they had in their profiles were first name, last initial and title at the company. Didn't seem a very rich source of information. Maybe that was just a company policy thing and not common with other spook contractors?
part of spear phishing is building up credibility, so it's a value add to have this information in addition to whatever other OSINT is out there. if you're committing in tandem with another user that's a huge opportunity to impersonate and phish, vis-a-vis "your buddy at Lockheed".