I think that Fedora doesn't use Vendor in its RPMs. I usually just get watchcommit permissions on packages I have persistent patches no one will accept. Sure, it only works for Fedora packages (not RPMFusion, etc.), but that's been sufficient for me. A plugin to yum which warns when the repo changes shouldn't be too hard.