zlacker

[return to "Vouch"]
1. femto1+XT1[view] [source] 2026-02-08 20:38:11
>>chwtut+(OP)
Users already proven to be trustworthy in one project can automatically be assumed trustworthy in another project, and so on.

I get the spirit of this project is to increase safety, but if the above social contract actually becomes prevalent this seems like a net loss. It establishes an exploitable path for supply-chain attacks: attacker "proves" themselves trustworthy on any project by behaving in an entirely helpful and innocuous manner, then leverages that to gain trust in target project (possibly through multiple intermediary projects). If this sort of cross project trust ever becomes automated then any account that was ever trusted anywhere suddenly becomes an attractive target for account takeover attacks. I think a pure distrust list would be a much safer place to start.

◧◩
2. mitche+f62[view] [source] 2026-02-08 22:06:39
>>femto1+XT1
I think this fear is overblown. What Vouch protects against is ultimately up to the downstream but generally its simply gated access to participate at all. It doesn't give you the right to push code or anything; normal review processes exist after. It's just gating the privilege to even request a code review.

Its just a layer to minimize noise.

◧◩◪
3. AlexCo+4r2[view] [source] 2026-02-09 00:58:27
>>mitche+f62
Did you experiment with getting an AI to critique incoming PRs, and ignoring ones where it finds clear red flags?
[go to top]