zlacker

[parent] [thread] 9 comments
1. stavro+(OP)[view] [source] 2026-02-09 02:14:13
How is that different from what happens now, where someone who contributes regularly to a project faces less scrutiny than a new person?
replies(1): >>freaky+Ua
2. freaky+Ua[view] [source] 2026-02-09 04:13:03
>>stavro+(OP)
The difference is that today this trust is local and organic to a specific project. A centralized reputation system shared across many repos turns that into delegated trust... meaning, maintainers start relying on an external signal instead of their own review/intuition. That's a meaningful shift, and it risks reducing scrutiny overall.
replies(3): >>stavro+hc >>octobe+gd >>anon-3+kd
◧◩
3. stavro+hc[view] [source] [discussion] 2026-02-09 04:27:40
>>freaky+Ua
This isn't a centralised reputation system, though, is it? Each project keeps its own whitelist.
replies(1): >>freaky+Ee
◧◩
4. octobe+gd[view] [source] [discussion] 2026-02-09 04:41:57
>>freaky+Ua
I don't think the intent is for trust to be delegated to infinity. It can just be shared easily. I could imagine a web of trust being shared between projects directly working together.
replies(1): >>freaky+Be
◧◩
5. anon-3+kd[view] [source] [discussion] 2026-02-09 04:43:40
>>freaky+Ua
I am still not going to merge random code from a supposed trusted invdividual. As it is now, everyone is supposedly trusted enough to be able to contribute code. This vouching system will make me want to spend more time, not less, when contributing.
replies(2): >>freaky+je >>bccdee+ag
◧◩◪
6. freaky+je[view] [source] [discussion] 2026-02-09 04:56:04
>>anon-3+kd
Trust signals change behavior at scale, even if individuals believe they're immune.

You personally might stay careful, but the whole point of vouching systems is to reduce review effort in aggregate. If they don't change behavior, they add complexity without benefi.. and if they do, that's exactly where supply-chain risk comes from.

◧◩◪
7. freaky+Be[view] [source] [discussion] 2026-02-09 04:59:18
>>octobe+gd
That could happen.. but then it would end up becoming a development model similar to the one followed by sqlite and ffmpeg ... i.e., open for read, but closed(almost?) for writes to external contributions.

I don't know whether that's good or bad for the overall open-source ecosystem.

◧◩◪
8. freaky+Ee[view] [source] [discussion] 2026-02-09 04:59:31
>>stavro+hc
Thats's true.
◧◩◪
9. bccdee+ag[view] [source] [discussion] 2026-02-09 05:19:17
>>anon-3+kd
I think something people are missing here is, this is a response to the groundswell in vibecoded slop PRs. The point of the vouch system is not to blindly merge code from trusted individuals; it's to completely ignore code from untrusted individuals, permitting you to spend more time reviewing the MRs which remain.
replies(1): >>aragil+iF
◧◩◪◨
10. aragil+iF[view] [source] [discussion] 2026-02-09 09:34:36
>>bccdee+ag
Would it not be better to report accounts then?
[go to top]