Thanks for your considered reply. I'm interested exploring how this should shake down in practice.
Scenario: a project has 3 maintainers and 10 regular contributors and one of the contributors has a big positive reputation.
how should they go about issuing releases? assume we had trust attestations we could make against people, apps, releases (nip51 list) and release binaries.