Reproducibility
Shared promotion requires independent agreement, not a single party's word.
Input-addressed store paths are global: the openssl path is the same hash for everyone, and Nix trusts a cache's signature to mean "this is the legitimate output of that derivation". So shared promotion is the security-critical decision.
Two tiers
| Tier | Signs with | Promotes when |
|---|---|---|
| Tenant | a per-tenant key | a verified build, immediately, into the tenant's own namespace |
| Shared | the master key | enough independent, reputation-weighted tenants agree on the same output |
Sybil resistance
- A single repo's attestation never carries the globally trusted key.
- Attesters must clear a GitHub account-age floor.
- Shared promotion needs summed reputation weight across distinct tenants, not a raw count, so a swarm of fresh accounts cannot reach the bar.
Full content verification (independent rebuild) and provenance binding require an external builder. Until then, shared-tier signing stays gated.