> The interesting failure mode isn’t just “one bad actor slips through”, it’s provenance: if you want to
> “denounce the tree rooted at a bad actor”, you need to record where a vouch came from (maintainer X,
> imported list Y, date, reason), otherwise revocation turns into manual whack-a-mole.
>
> Keeping the file format minimal is good, but I’d want at least optional provenance in the details field
> (or a sidecar) so you can do bulk revocations and audits.