How many people have push access to the master branch of nixpkgs? Who are they?
There are currently 139 people with commit access to nixos/nixpkgs. The list isn’t public, but as a committer, I can see it. I’d personally be in favor of making this list public.
A GitHub issue is used to request new commit access. I don’t know if that’s the only way people are granted access (I’d guess probably not).
There are two RFCs about how commit access is revoked due to inactivity:
nixpkgs committers are added by the NixOS GitHub organization owners. I don’t know who all the owners are but I know @edolstra and @domenkozar are owners.
Is the master branch a protected branch, ie. all changes must come via PRs? If not, why not?
The master branch is not protected. We don’t have the CI set up well enough to protect the branch from all use cases currently. It’s been discussed
Are package maintainers only allowed push to the packages they own? Or do they have push access to arbitrary code anywhere in nixpkgs?
Package maintainers cannot push to nixpkgs, only committers.
Who (person/organization) is responsible for maintaining nixpkgs and is responsible for overseeing and certifying its security and integrity?
I think the answer here is basically all of us as a community are making a best effort. There is a NixOS foundation and a security team.