- Restrict write access to trusted contributors only.
- Sign commits/patch bundles where team process supports it.
- Keep repository storage on hardened hosts with backups.
- Enforce SSH key authentication for remote repository access.
- Remove stale user keys and accounts regularly.
- Limit shell access on repository hosts.
- Review incoming patches before applying.
- Validate dependencies and build scripts in CI.
- Use immutable backups and restore tests.