Sharing private keys is bad practice for a lot of reasons.
Presumably in this case you're doing this without a third party like github (e.g. the code is stored on ipfs).
Rotating that rsa key requires all of your users to update things on their side so they'll continue accepting updates signed by the new key. That's a problem because you want key rotation to be low-effort so people do it just in case, and notifying every user is the opposite of that.
On the other hand, when a new user or organization takes over for an old one re: publishing updated versions (presumably there's a smart contract that gets updated with the latest trusted hash by the tokenholder), that's an event where you really do want all you users to scrutinize the new maintainer.
Key transfer is opaque, NFT transfer is transparent.
Presumably in this case you're doing this without a third party like github (e.g. the code is stored on ipfs).
Rotating that rsa key requires all of your users to update things on their side so they'll continue accepting updates signed by the new key. That's a problem because you want key rotation to be low-effort so people do it just in case, and notifying every user is the opposite of that.
On the other hand, when a new user or organization takes over for an old one re: publishing updated versions (presumably there's a smart contract that gets updated with the latest trusted hash by the tokenholder), that's an event where you really do want all you users to scrutinize the new maintainer.
Key transfer is opaque, NFT transfer is transparent.