zlacker

[return to "Vouch"]
1. freaky+Ix2[view] [source] 2026-02-09 02:00:31
>>chwtut+(OP)
The underlying idea is admirable, but in practice this could create a market for high-reputation accounts that people buy or trade at a premium.

Once an account is already vouched, it will likely face far less scrutiny on future contributions — which could actually make it easier for bad actors to slip in malware or low-quality patches under the guise of trust.

◧◩
2. stavro+8z2[view] [source] 2026-02-09 02:14:13
>>freaky+Ix2
How is that different from what happens now, where someone who contributes regularly to a project faces less scrutiny than a new person?
◧◩◪
3. freaky+2K2[view] [source] 2026-02-09 04:13:03
>>stavro+8z2
The difference is that today this trust is local and organic to a specific project. A centralized reputation system shared across many repos turns that into delegated trust... meaning, maintainers start relying on an external signal instead of their own review/intuition. That's a meaningful shift, and it risks reducing scrutiny overall.
◧◩◪◨
4. anon-3+sM2[view] [source] 2026-02-09 04:43:40
>>freaky+2K2
I am still not going to merge random code from a supposed trusted invdividual. As it is now, everyone is supposedly trusted enough to be able to contribute code. This vouching system will make me want to spend more time, not less, when contributing.
◧◩◪◨⬒
5. freaky+rN2[view] [source] 2026-02-09 04:56:04
>>anon-3+sM2
Trust signals change behavior at scale, even if individuals believe they're immune.

You personally might stay careful, but the whole point of vouching systems is to reduce review effort in aggregate. If they don't change behavior, they add complexity without benefi.. and if they do, that's exactly where supply-chain risk comes from.

[go to top]