There is no incentive for adding the friction of gas or PoW for these types of systems.
The parties involved can have a shared log and private keys for signing entries. Party A provides a thing and Party B signs an entry that says they were provided with the thing. Party A can wait for that signed entry before releasing the goods, etc. The problem with block chain to track physical stuff is that that handoffs are not instantaneous, so there’s always lag between the real state of the world and what the log says. In practice, this may be a few seconds, and a human might wait for confirmation before physically granting access to a recipient.
To put it another way, the party that is signing is not incentivized to forge that they have received an object from someone else, as that is effectively the fulfillment of the obligation. They’re only going to sign an entry if they get the object.
At my last job, we used sleet in combination with S3 and a cloudfront distribution with an authorization lambda for pulling packages. I think the whole setup took about 2 hours and it was rock solid.
This was necessary because we were using Octopus Deploy and were bumping into storage limits with their built in feed.
We were a relatively small team, and relatively slow package publish rate (10x a day, probably).
Biggest issue with sleet is that it’s not going to support “pull through” so you’ll need to have multiple nuget feeds configured.