Maintainers can also invoke the [nixpkgs-merge-bot](https://github.com/nixos/nixpkgs-merge-bot) to merge pull requests targeting packages they are the maintainer of, which satisfy the current security [constraints](https://github.com/NixOS/nixpkgs-merge-bot/blob/main/README.md#constraints).
Examples: [#397273](https://github.com/NixOS/nixpkgs/pull/397273#issuecomment-2789382120) and [#377027](https://github.com/NixOS/nixpkgs/pull/377027#issuecomment-2614510869)

New maintainers will automatically get invited to join the [NixOS/nixpkgs-maintainers](https://github.com/orgs/NixOS/teams/nixpkgs-maintainers) GitHub team.
By joining, you will get some triaging rights in the nixpkgs repository, like the ability to close and reopen issues made by others, and managing labels.
However, the GitHub team invite is usually only sent by email, and is only valid for one week!
Should it expire, please ask for a re-invite in the [GitHub org owners help desk Matrix channel](https://matrix.to/#/#org_owners:nixos.org).

### Unofficial maintainer tooling

[zh.fail](https://zh.fail/failed/overview.html) tracks all package build failures on `master` grouped by maintainer.

[asymmetric/nixpkgs-update-notifier](https://github.com/asymmetric/nixpkgs-update-notifier) is a matrix bot that scrapes the [nixpkgs-update logs](https://nixpkgs-update-logs.nix-community.org/) and notifies you if nixpkgs-update/@r-ryantm fails to update any of the packages you've subscribed to.

[repology.org](https://repology.org) tracks and compares the versions of packages between various package repositories, letting you know what packages may be out of date or insecure.
You can view which packages a specific maintainer maintains and subscribe to updates with atom/rss.
Example: [repology.org/maintainer/pbsds](https://repology.org/maintainer/pbsds%40hotmail.com).

[nixpk.gs/pr-tracker](https://nixpk.gs/pr-tracker.html) and [nixpkgs-tracker.ocfox.me](https://nixpkgs-tracker.ocfox.me/) can visualize the release status of any nixpkgs pull request.

## Reviewing contributions

### Individual maintainer list

When adding users to [`maintainer-list.nix`](./maintainer-list.nix), the following checks should be performed:

- If the user has specified a GPG key, verify that the commit is signed by their key.

  First, validate that the commit adding the maintainer is signed by the key the maintainer listed.
  Check out the pull request and compare its signing key with the listed key in the commit.

  If the commit is not signed or it is signed by a different user, ask them to either recommit using that key or to remove their key information.

  Given a maintainer entry like this:

  ```nix
  {
    example = {
      email = "user@example.com";
      name = "Example User";
      keys = [ { fingerprint = "0000 0000 2A70 6423 0AED  3C11 F04F 7A19 AAA6 3AFE"; } ];
    };
  }
  ```

  First receive their key from a keyserver:

      $ gpg --recv-keys 0xF04F7A19AAA63AFE
      gpg: key 0xF04F7A19AAA63AFE: public key "Example <user@example.com>" imported
      gpg: Total number processed: 1
      gpg:               imported: 1

  Then check the commit is signed by that key:

      $ git log --show-signature
      commit b87862a4f7d32319b1de428adb6cdbdd3a960153
      gpg: Signature made Wed Mar 12 13:32:24 2003 +0000
      gpg:                using RSA key 000000002A7064230AED3C11F04F7A19AAA63AFE
      gpg: Good signature from "Example User <user@example.com>
      Author: Example User <user@example.com>
      Date:   Wed Mar 12 13:32:24 2003 +0000

          maintainers: adding example

  and validate that there is a `Good signature` and the printed key matches the user's submitted key.

  Note: GitHub's "Verified" label does not display the user's full key fingerprint, and should not be used for validating the key matches.

- Ensure that the user has specified a `github` account name and a `githubId` and verify the two match.

  People can and do change their GitHub name frequently, and the ID is used as the official and stable identity of the maintainer.