It's a security concern to have so many contributors to Nixpkgs with write access. Eventually, I think we will want to start removing commit access for inactive contributors.

For now, though, there's not a very easy way to contribute to Nixpkgs without having write access. I'm thinking "Ofborg" might be able to help with that. A basic proposal (maybe needs to be an RFC):

When at least 1 "known user" approves a PR based on master and all tests have passed, a timer is set for 24 hours. Ofborg sends a comment explaining the 24 hour rule and the expected merge time. After 24 hours, Ofborg checks that: no changes have been requested, no commits have been changed, and that the PR is mergeable into master. If all checks pass, Ofborg automatically merges the PR into master.

The idea is not to replace regular merging but to provide an alternative route for "harmless PRs". Once feedback is given, then it's assumed that manual merging should take place (veto). "Harmless PRs" would include things like new packages and package updates. Users with commit access can still revert the merge later on if they object. The goal is to cut down on the number of open PRs and also make life easier for some of the "mergers".

See also NixOS/nixpkgs#20836