[lrvick]

Anyone with contributor rights can make a fake identity, make a PR with it, then merge their own PR. Effectively no oversight.

Also, because there is no signing, git history can be rewritten easily or people can impersonate each other in git history easily.

This sort of posture is why I am totally serious when I say one compromised Github token can backdoor all nix users.

[pxc]

You have to be either a committer in general or a maintainer of a specific package to merge PRs into Nixpkgs. Contributors' PR approvals in Nixpkgs are just an informal signal for maintainers and committers to consider. And maintainers can only merge changes related to the packages they maintain, not other random changes.

[lrvick]

But a maintainer could merge their own PR created by a pseudonym, and signing is not required, so in effect, they can ship any changes to their own packages they wish. This is a major supply chain security risk.