zlacker

[return to "Vouch"]
1. freaky+Ix2[view] [source] 2026-02-09 02:00:31
>>chwtut+(OP)
The underlying idea is admirable, but in practice this could create a market for high-reputation accounts that people buy or trade at a premium.

Once an account is already vouched, it will likely face far less scrutiny on future contributions — which could actually make it easier for bad actors to slip in malware or low-quality patches under the guise of trust.

◧◩
2. Goofy_+GF2[view] [source] 2026-02-09 03:25:40
>>freaky+Ix2
Amazing idea - absolutely loving vouch. However, as a security person, this comment immediately caught my attention.

A few things come to mind (it's late here, so apologies in advance if they're trivial and not thought through):

- Threat Actors compromising an account and use it to Vouch for another account. I have a "hunch" it could fly under the radar, though admittedly I can't see how it would be different from another rogue commit by the compromised account (hence the hunch).

- Threat actors creating fake chains of trust, working the human factor by creating fake personas and inflating stats on Github to create (fake) credibility (like how number of likes on a video can cause other people to like or not, I've noticed I may not like a video if it has a low count which I would've if it had millions - could this be applied here somehow with the threat actor's inflated repo stats?)

- Can I use this to perform a Contribution-DDOS against a specific person?

◧◩◪
3. freaky+ZI2[view] [source] 2026-02-09 04:01:54
>>Goofy_+GF2
The idea is sound, and we definitely need something to address the surge in low-effort PRs, especially in the post-LLM era.

Regarding your points:

"Threat Actors compromising an account..." You're spot on. A vouch-based system inevitably puts a huge target on high-reputation accounts. They become high-value assets for account takeovers.

"Threat actors creating fake chains of trust..." This is already prevalent in the crypto landscape... we saw similar dynamics play out recently with OpenClaw. If there is a metric for trust, it will be gamed.

From my experience, you cannot successfully layer a centralized reputation system over a decentralized (open contribution) ecosystem. The reputation mechanism itself needs to be decentralized, evolving, and heuristics-based rather than static.

I actually proposed a similar heuristic approach (on a smaller scale) for the expressjs repo a few months back when they were the first to get hit by mass low-quality PRs: https://gist.github.com/freakynit/c351872e4e8f2d73e3f21c4678... (sorry, couldn;t link to original comment due to some github UI issue.. was not showing me the link)

[go to top]