zlacker

[return to "Vouch"]
1. kleyd+Pd2[view] [source] 2026-02-08 23:01:56
>>chwtut+(OP)
Thought experiment: strip a forge down to what plain Git can't do: identity (who?), attestations (signed claims about a ref or actor), and policy (do these claims allow this ref update?).

With just those primitives, CI is a service that emits "ci/tested." Review emits "review/approved." A merge controller watches for sufficient attestations and requests a ref update. The forge kernel only evaluates whether claims satisfy policy.

Vouch shifts this even further left: attestations about people, not just code. "This person is trusted" is structurally the same kind of signed claim as "this commit passed CI." It gates participation itself, not just mergeability.

All this should ideally be part of a repo, not inside a closed platform like github. I like it and am curious to see where this stands in 5 years.

◧◩
2. Tossro+dh2[view] [source] 2026-02-08 23:33:09
>>kleyd+Pd2
Inside the repo as metadata that can be consumed by a provider, like GHA config in .github/. Standardized, at least as an extension like git lfs so it's provider independent. Could work! I've long thought effective reputational models are a major missing piece of internet infrastructure, this could be the beginning of their existence given the new asymmetric threat of LLM output, combined with mitchellh's productivity and recognition.
[go to top]