Suggestion: simplified "shared accounts"

[mindplay-dk]

I was going to comment on #461, but the issue has been locked, so I'm opening this.

I'd suggest a much simpler change: give access to anyone with an e-mail address listed in authors in composer.json - whoever controls the source then has the ability to decide who has access.

Alternatively, add a separate key maintainers exclusively for this - if you're concerned about implicitly granting access to people in authors who shouldn't have, though my guess is, if you're willing to list them as authors, they're probably already contributing to the package, so they're already trusted.

Maybe not though.

Just figured I'd put the idea out there. We've been waiting two years for some kind of vendor-ownership concept in Packagist and this might be one way to go about it.