I anticipate that the vast majority of repositories dont have their ownership contested by anyone but fraudsters so the current implemtnation is geared towards that.

Currently if there are multiple people who claim the same repository and they don't list the others as 'maintainers', gitworkshop.dev uses the one with the most references in other events. If they do, the event with the most recent created_at timestamp is used. If someone tries to game this, the intention is to add web of trust into this.

ngit also uses a maintainers.yaml file embedded into the commit history to indicate which npubs to treat as authoritative.

The tools are not yet geared towards multiple legitimate groups of maintainers with conflicting state.

I should probably write a more polished answer and publish it as a FAQ.

I'd love some more challenge around this as its better to find holes earlier rather than later when things are harder to change. What do you think?