Mastodawn

AI eliminated the natural barrier to entry that let OSS projects trust by default. People told me to do something rather than just complain. So I did. Introducing Vouch: explicit trust management for open source. Trusted people vouch for others. https://github.com/mitchellh/vouch

The idea is simple: Unvouched users can't contribute to your projects. Very bad users can be explicitly "denounced", effectively blocked. Users are vouched or denounced by contributors via GitHub issue or discussion comments or via the CLI.

Integration into GitHub is as simple as adopting the published GitHub actions. Done. Additionally, the system itself is generic to forges and not tied to GitHub in any way.

Who and how someone is vouched or denounced is up to the project. I'm not the value police for the world. Decide for yourself what works for your project and your community.

All of the data is stored in a single flat text file in your own repository that can be easily parsed by standard POSIX tools or mainstream languages with zero dependencies.

My hope is that eventually projects can form a web of trust so that projects with shared values can share their vouch lists with each other (automatically) so vouching or denouncing a person in one project has ripple effects through to other projects.

The idea is based on the already successful system used by @badlogicgames in Pi. Thank you Mario.

Ghostty will be integrating this imminently.

GitHub - mitchellh/vouch: A community trust management system based on explicit vouches to participate.

A community trust management system based on explicit vouches to participate. - mitchellh/vouch

GitHub

Show thread

Jeffrey Haas Feb 8

@mitchellh I was waiting for some form of this to pop up. You're first on my radar.

Things like this will eventually need to be something other than boolean. The clumsy n00b that is instantly denounced has no way to crawl out of that hole.

"Karma" systems where one earns good credit for work also push these things to something other than boolean.

This will always be able to be gamed, but it's at least a helpful speedbump. Thanks for the work.

Show thread

Mitchell Hashimoto Feb 8

@jhaas Policy is up to downstream but for my projects if you just talk to me like a normal human, recognize your mistakes etc, I’ll revouch for you. This isn’t meant to be a non human process. On the contrary, this is to encourage a more human process. Just act like any normal human social norm.

Show thread

Jeffrey Haas

@mitchellh I have zero gripes about your design intentions and think that a lot of how mechanisms like this are used will grow organically.

My opinion has been that AI introduces two massive issues of Trust: Identity (who is this _really_) and Authenticity. Part of being authentic is knowing why you can trust something.

Mostly, I'm pleased that people are actively exploring the solution spaces for these problems.