Direct link: https://matrix.to/#/#nix-slsa:matrix.org
Also this article is very interesting around Guix implementing some of the aspects from TUF where they apply: Securing updates — 2020 — Blog — GNU Guix
I’d note it might be worth nixpkgs looking into PR automation kind of like prow where we can allow maintainers to mark a package as ready for merging so less people need merge permissions
As a note around the RFC, the git signing in github it’s pretty useless unless you distribute public keys elsewhere and validate that too.
If an attacker gets access to your GH account they can just change the signing key attached to the account and it looks 100% legit. If it’s also somewhere else they need to change that too making it much harder.