It's actually first-past-the-post because ngit commands sent to any repo event with the same initial commit would show up here.
Discussion
currently gitworkshop.dev uses the npub:identifer with the most number of events tagging it.
ngit users the most recent event where the 'earliest unique commit' matches the initial commit, filtered by npubs listed in 'maintainers.yaml' if that exists, or falls back to prompting the user for an naddr.
The intention is to improve gitworkshop.dev so it makes less automatic choices and factors in WoT to recommendations.
The intention for ngit is to use 'maintainers.yaml' and fallback to the same approach used by gitworkshop.dev.
Both are metrics that can be gamed easily
inclusion in a maintainers.yaml file is hard to game. a would-be maintainer could change the clone url and send users to another git server with a different maintainers.yaml file but they won't be able to get other contributors to sign commits on top of history.
I'm not sure I agree that WoT can be easily gamed but there are certainly some valid critiques. can we really use the contact lists as a sign of trust? Conversations about use of validity of using WoT are happening elsewhere.
Ultimately, the user should be presented with a choice and the choice of npub:identifer should be respected until change their mind. I am currently refactoring gitworkshop.dev to use a specific npub:identifier repository reference rather than a dynamic one based solely on identifier.
Maybe this is a dumb question: but why are the relays in the maintainers.yaml file, rather than in a setup.yaml file or something?