[pxc]

You have to be either a committer in general or a maintainer of a specific package to merge PRs into Nixpkgs. Contributors' PR approvals in Nixpkgs are just an informal signal for maintainers and committers to consider. And maintainers can only merge changes related to the packages they maintain, not other random changes.

[lrvick]

But a maintainer could merge their own PR created by a pseudonym, and signing is not required, so in effect, they can ship any changes to their own packages they wish. This is a major supply chain security risk.