Mastodawn

Kanikaze 🦀💨Feb 19

Mitchell Hashimoto

AI eliminated the natural barrier to entry that let OSS projects trust by default. People told me to do something rather than just complain. So I did. Introducing Vouch: explicit trust management for open source. Trusted people vouch for others. https://github.com/mitchellh/vouch

The idea is simple: Unvouched users can't contribute to your projects. Very bad users can be explicitly "denounced", effectively blocked. Users are vouched or denounced by contributors via GitHub issue or discussion comments or via the CLI.

Integration into GitHub is as simple as adopting the published GitHub actions. Done. Additionally, the system itself is generic to forges and not tied to GitHub in any way.

Who and how someone is vouched or denounced is up to the project. I'm not the value police for the world. Decide for yourself what works for your project and your community.

All of the data is stored in a single flat text file in your own repository that can be easily parsed by standard POSIX tools or mainstream languages with zero dependencies.

My hope is that eventually projects can form a web of trust so that projects with shared values can share their vouch lists with each other (automatically) so vouching or denouncing a person in one project has ripple effects through to other projects.

The idea is based on the already successful system used by @badlogicgames in Pi. Thank you Mario.

Ghostty will be integrating this imminently.

GitHub - mitchellh/vouch: A community trust management system based on explicit vouches to participate.

A community trust management system based on explicit vouches to participate. - mitchellh/vouch

GitHub

Scott Francis Feb 7

@mitchellh reminds me of early PGP Web of Trust days and keysigning parties

Mitchell Hashimoto Feb 7

@darkuncle That was exactly the inspiration.

Scott Francis Feb 7

@mitchellh this seems like it would take off much more easily without the requirement for offline in-person key review and comparison too (one of the big drags on adoption for PGP Web of Trust). And without the invariably awkward "parties" :)

Mitchell Hashimoto Feb 7

@darkuncle That's my hope for this project :) (since it requires none of that)

Neal Gompa (ニール・ゴンパ)

@mitchellh @darkuncle This has given me a lot of thought. The rise of code slop has definitely started to take a toll on me, and I wonder if there's a feasible way to bootstrap this mechanism so that I don't necessarily wipe out all interactions with new contributors just out of the gate.

But otherwise, I think this is at least walking down the right path.

que :verifried:Feb 7

@neal @mitchellh @darkuncle go through old
submissions/responses, if they were accepted/positive then "autovouch" them?

@mitchellh This is great for ease of adoption, but to avoid getting locked into a forge, are there any plans to support vouching signing keys? There's possibly not much point denouncing signing keys.

Mitchell Hashimoto Feb 8

@gozz it already is forge agnostic, see the spec. But yes also want to support keys

@mitchellh Neat! To clarify, I meant as in having a long-curated list of vouched GitHub users and then, if you decide to move elsewhere, having to match vouched contributors to new IDs. Doable, but friction.

@gozz @mitchellh Sounds like Public Key Transparency to me. There's this project https://github.com/fedi-e2ee/public-key-directory-specification who has been recently trying to address it.

GitHub - fedi-e2ee/public-key-directory-specification: Specification for a Fediverse Directory Server for Public Keys

Specification for a Fediverse Directory Server for Public Keys - fedi-e2ee/public-key-directory-specification

GitHub

MalcolmMielle Feb 7

@mitchellh sounds like the system for arxiv

@mitchellh my only concern is new and upcoming devs won't have anyone to vouch for them, thus cutting them out of open source entirely. Think there's a way to fix that?

Mitchell Hashimoto Feb 7

@rogueren Not up to me, policy is up to the integrator as noted. In Ghostty, to get vouched you just need to write your proposal out. If it’s reasonable you’re in. No other work required.

John Francis 🇨🇦🦫🍁💪⬆️Feb 7

@mitchellh I like the explicit denouncement. Unclean! Unclean! Heretic! 👉

Toby Jaffey Feb 7

@mitchellh Reminds me of Advogato from c.1999, kind-of peer reviewed slashdot built on an attack-resistant trust metric.
It built a huge trust network of people involved with opensource/freesoftware but ultimately failed, I think, because it only proved identity, rather than reputation.
I like the generality you're suggesting about how to apply "trust" to a project.

Mitchell Hashimoto Feb 7

@tobyjaffey yep that was one of the inspirations!

Steve Purcell Feb 8

@tobyjaffey @mitchellh advogato, wow, that brings back good memories!

Sebastian Grill Feb 7

@mitchellh Mario is actually on mastodon.

@mitchellh
I think this might promote cultish userbases depending on the trust system.
It's probably easier to include a checkbox in PR templates so contributors can confirm that no AI tools were used.

Mitchell Hashimoto Feb 7

@HugeGameArtGD this doesn’t work because AI opens with the API. Source: we tried. lol.

Fritz Adalis Feb 7

@mitchellh @kevin
Does this do anything to help with the next/current Jia Tan (xz)?

Mitchell Hashimoto Feb 7

@FritzAdalis @kevin No, since Jia was anointed as a maintainer (effectively vouched).

Fritz Adalis Feb 7

@mitchellh @kevin
I'm thinking of if this were in place before he sent his first patch. My understanding is most of Tan's contributions were good.

Sassinake! ᑐ ∪ ∩ ⊂Feb 8

make sure to re-vet contributors to defend against liars and people later corrupted by 'interests'.

Open source is still People.

Qasim Shaikh Feb 8

@mitchellh sending that to all my servers rn.

@mitchellh great idea, thanks for creating!

Bartek Pacia Feb 8

@mitchellh thanks for building this! i like the idea B)

pessimist take: assuming this gains momentum (which i hope it does), i wonder how long it'll take until some more radical folks (on both sides of the political spectrum) will en masse block people on "the other side" from contributing to their projects. and then we'll have many blocklists of open-source developers. kind of like we have blocklists in adblock.

Carlos Solís Feb 8

As a new contributor to most projects, what is the best way of gaining people's trust if I'm not allowed to submit code anywhere to do so?

Semitones Feb 8

@csolisr probably makes your own smaller projects and reach out to other smaller projects with specific pull requests for specific things, and gradually build up your reputation.

Thinking about contexts — if you added “in the proposed Vouch system” to the beginning of that it’ll be harder for jerks to take out of context?

Actual answer - ish:

Tthere were ways before everything went constantly online, and I know they weren’t all official because some people carefully didn’t mention they were minors.

Lots of online discussion in subject based BBSs and forums and MOOs, as I remember. Toy problems and teaching problems and polishing your journeyman-piece first patch until it’s clear and explained.

There’s more people trying and nobody used to think they could get rich programming and whoo boy some laws have changed. But also there are more places to start because there’s so much more software.

Argh, chatbots are going to flood the bbs equivalents, dang it. Yesno?

I really don’t want the answer to be in-person introductions because I remember the dialup period as being better for people who didn’t “look like” programmers.

… I was hoping you had some ideas one way or the other but if so I haven’t found them. ??

Related discussion from prose submissions

https://writeout.ink/@ljwrites/116081797838241747

Author-ized L.J. (@[email protected])

Content warning: how pitching and collaborative process might change publishing

Write Out

Madagascar_Sky Feb 8

Hey @cstross, look, accelerando's trust network is here!

Charlie Stross Feb 8

@Madagascar_Sky @mitchellh Yes? I think I lifted that from either Bruce Sterling or Cory Doctorow. (Probably Bruce. "Maneki Neko".)

LangerJan Feb 8

@mitchellh That’s social scoring with extra steps.

Ashton Wiersdorf Feb 8

@mitchellh I don't know if you've read Neal Stephenson's Anathem—this reminds me of the reputation system the ITA (technologists in the society) have to access certain parts of their version of the internet.

Giacomo Tesio Feb 8

@[email protected]
#AI eliminated the natural barrier to entry that let OSS projects trust by default.
To me, this reads:
Corporate automation eliminated the natural barrier to entry that let #OSS projects trust by default.
I'm not much sure what you meant with "trust by default", but for sure #opensource projects never let unreviewed code in from strangers.

That what forks were for.

Now, since your automation won't prevent forks, it looks either pointless or just divisive.

I mean, forks are good!

But are you sure that automated contributor managenent can solve automated theft and regurgitation by corporations?
Who and how someone is vouched or denounced is up to the project. I'm not the value police for the world.
If it's your code that executes the "flat text file" in the repository, you are in control.

If your project spreads, you would be in the position to execute a wide variety of #SupplyChain and #DDoS attacks.

Even if you wouldn't, anybody taking control of your repo could, turning such repo into a high-value target.

You should really take effective #security measure to avoid this outcome.

For example you could force downstream project to fork and adapt your scripts by only ever pushing on your repo slightly broken code.

Eg, you could apply before each push an easy to invert

find vouch/|grep nu|xargs -n 1 sed -i 's/use/!!!BrOkEN!!!/g'
This way no one coukd directly use your GitHub actions without reviewing them and nobody would need to #trust you or your security practices.

____
Also, #GitHub?
The reign of #CopyALot?
I guess projects still there face no trust collapse in AI contributions and in contributing to AI.

@[email protected]

@giacomo @mitchellh @driggy imo gen ai didn't eliminated the barrier, but just raised it. It is upto the submitter to make sure the pr is upto the quality and the code isn't from another project without creds. Ofc that would only be true if we lived in a vacuum world. And it's much worse for projects with bug bounty programs. Either keep gen ai in your hobby projects or use it as an assistive tool or don't use it at all, the burden shouldn't go on the maintainers of the projects -_-

@giacomo @mitchellh @driggy and vouch doesn't really solve any of that problem, it's the same as the project closing of contributions to old contributors. Getting new contributors to get involved would still be harder.

@mitchellh well you can contact a trusted contributor and some tests can be done. I really like it, otherwise #slopocalipse will kill everything interesting.

Nils Ballmann Feb 8

@mitchellh @RichiH but then we can't call it Open Source anymore, because it's not open to everybody by default anymore. So, how about we call it Vouch Source instead?

blobcatthinksmart

Mitchell Hashimoto Feb 8

@nils_ballmann @RichiH Open source has nothing to do with open contribution. All the pillars of FOSS are preserved with this. All freedoms still exist.

@mitchellh thank you!

Jeffrey Haas Feb 8

@mitchellh I was waiting for some form of this to pop up. You're first on my radar.

Things like this will eventually need to be something other than boolean. The clumsy n00b that is instantly denounced has no way to crawl out of that hole.

"Karma" systems where one earns good credit for work also push these things to something other than boolean.

This will always be able to be gamed, but it's at least a helpful speedbump. Thanks for the work.

Mitchell Hashimoto Feb 8

@jhaas Policy is up to downstream but for my projects if you just talk to me like a normal human, recognize your mistakes etc, I’ll revouch for you. This isn’t meant to be a non human process. On the contrary, this is to encourage a more human process. Just act like any normal human social norm.

Jeffrey Haas Feb 8

@mitchellh I have zero gripes about your design intentions and think that a lot of how mechanisms like this are used will grow organically.

My opinion has been that AI introduces two massive issues of Trust: Identity (who is this _really_) and Authenticity. Part of being authentic is knowing why you can trust something.

Mostly, I'm pleased that people are actively exploring the solution spaces for these problems.

Uriel Fanelli Feb 8

@mitchellh sure. a new sheriff. dictators, benevolent or not, weren't sufficient. Now we have black shirts, too, to decide if you are vouched enough. OSS is dead, man.

And the reason is dead, is that it repels corporation logic, to embrace totalitarism logic.

Dave Mangot Feb 8

@mitchellh @uriel such a compelling argument that open source maintainers shouldn't determine the contributions to the projects that they themselves create otherwise they are "blackshirts" and "dictators". 🙄

Mitchell Hashimoto Feb 8

@davemangot @uriel Open source was never about open contribution. All the fundamental freedoms and ideals of FOSS are preserved with vouching. In the face of any kind of value system you disagree with, or perceived dictators or whatever, you can fork! With all rights! That’s open source.

So I disagree with you on many points but the cool part is it doesn’t matter cause we can both independently do our own thing and be happy in our own spheres. :)

Uriel Fanelli Feb 8

@mitchellh @davemangot

sorry, I am too old to dring your bullshit, and I was there when the thing started.

You're just a little politician. Maybe you can hypnotize some young who wasn't there at the time.

But not me. Disappear from my sight, young fash. We all know how the story ends.

Uriel Fanelli Feb 8

@davemangot @mitchellh

oh, the fash had friends. Out of my sight, you too. Enjoy the dictatorship you are creating. I know how it ends.

MidgePhoto Feb 9

@mitchellh
In retrospect the PGP web of trust would now be useful, had we adopted it more enthusiastically back then.
Perhaps this will be another node in the formation of such a web.

@mitchellh Reminded of key signing party in @archlinux and @debian ;P