zlacker

[return to "Vouch"]
1. freaky+Ix2[view] [source] 2026-02-09 02:00:31
>>chwtut+(OP)
The underlying idea is admirable, but in practice this could create a market for high-reputation accounts that people buy or trade at a premium.

Once an account is already vouched, it will likely face far less scrutiny on future contributions — which could actually make it easier for bad actors to slip in malware or low-quality patches under the guise of trust.

◧◩
2. stavro+8z2[view] [source] 2026-02-09 02:14:13
>>freaky+Ix2
How is that different from what happens now, where someone who contributes regularly to a project faces less scrutiny than a new person?
◧◩◪
3. freaky+2K2[view] [source] 2026-02-09 04:13:03
>>stavro+8z2
The difference is that today this trust is local and organic to a specific project. A centralized reputation system shared across many repos turns that into delegated trust... meaning, maintainers start relying on an external signal instead of their own review/intuition. That's a meaningful shift, and it risks reducing scrutiny overall.
◧◩◪◨
4. octobe+oM2[view] [source] 2026-02-09 04:41:57
>>freaky+2K2
I don't think the intent is for trust to be delegated to infinity. It can just be shared easily. I could imagine a web of trust being shared between projects directly working together.
◧◩◪◨⬒
5. freaky+JN2[view] [source] 2026-02-09 04:59:18
>>octobe+oM2
That could happen.. but then it would end up becoming a development model similar to the one followed by sqlite and ffmpeg ... i.e., open for read, but closed(almost?) for writes to external contributions.

I don't know whether that's good or bad for the overall open-source ecosystem.

[go to top]