Vouch - Hacker News

Posted by chwtutha 21 hours ago

Vouch(github.com)

https://x.com/mitchellh/status/2020252149117313349

https://nitter.net/mitchellh/status/2020252149117313349

https://github.com/ghostty-org/ghostty/pull/10559

493 points | 217 commentspage 2

Yizahi 1 hour ago|

Problem 1 - assuming this Vouch tool gains wide adoption without major fuckups, I predict that a lot of people would "outsource" their own vetting to it, and it would become a circular system where newcomer would not be able to get vouched because everyone will expect others to do it.

Problem 2 - getting banned by any single random project for any reason, like CoC disagreement, a heated Rust discussion, any world politics views etc. would lead to a system-wide ban in all involved project. Kinda like getting a ban for a bad YT comment and then your email and files are blocked forever too.

The idea is nice, like many other social improvement ideas. The reality will 99% depend on the actual implementation and actual usage.

jprosevear 6 hours ago||

Prior art? https://en.wikipedia.org/wiki/Advogato

HiPhish 5 hours ago||

Not sure about this one. I understand the need and the idea behind it is well-intentioned, but I can easily see denouncelists turn into a weapon against wrongthinkers. Said something double-plus-ungood on Twitter? Denounced. Accepted contribution from someone on a prominent denouncelist? Denouced. Not that it was not possible to create such lists before, but it was all informal.

The real problem are reputation-farmers. They open hundreds of low-effort PRs on GitHub in the hope that some of them get merged. This will increase the reputation of their accounts, which they hope will help them stand out when applying for a job. So the solution would be for GitHub to implement a system to punish bad PRs. Here is my idea:

- The owner of a repo can close a PR either neutrally (e.g. an earnest but misguided effort was made), positively (a valuable contribution was made) or negatively (worthless slop)

- Depending on how the PR was closed the reputation rises or drops

- Reputation can only be raised or lowered when interacting with another repo

The last point should prevent brigading, I have to make contact with someone before he can judge me, and he can only judge me once per interaction. People could still farm reputation by making lots of quality PRs, but that's actually a good thing. The only bad way I can see this being gamed is if a bunch of buddies get together and merge each other's garbage PRs, but people can already do that sort of thing. Maybe the reputation should not be a total sum, but per project? Anyway, the idea is for there to be some negative consequences for people opening junk PRs.

pwdisswordfishs 3 hours ago||

> The real problem are reputation-farmers. They open hundreds of low-effort PRs on GitHub in the hope that some of them get merged. This will increase the reputation of their accounts, which they hope will help them stand out when applying for a job. So the solution would be for GitHub to implement a system to punish bad PRs.

GitHub customers really are willing to do anything besides coming to terms with the reality confronting them: that it might be GitHub (and the GitHub community/userbase) that's the problem.

To the point that they'll wax openly about the whole reason to stay with GitHub over modern alternatives is because of the community, and then turn around and implement and/or ally themselves with stuff like Vouch: A Contributor Management System explicitly designed to keep the unwashed masses away.

Just set up a Bugzilla instance and a cgit frontend to a push-over-ssh server already, geez.

rtpg 15 minutes ago|||

I disagree with the "just"-ness of setting up bugzilla + cgit... but I do wonder how far you could go with just being on literally any platform.

Obviously technically the same things are possible but I gotta imagine there's a bit less noise on projects hosted on other platforms

stavros 3 hours ago|||

I mean, "everyone already has an account" is already a very good reason. That doesn't mean "I automatically accept contributions from everyone", it might be "I want to make the process of contribution as easy as possible for the people I want as contributors".

pwdisswordfishs 2 hours ago||

Hatching a reputation-based scheme around a "Contributor Management System" and getting "the people you want as contributors" to go along with it is easier than getting them to fill in a 1/username 2/password 3/confirm-password form? Choosing to believe that is pure motivated reasoning.

stavros 2 hours ago||

People aren't on Github just to implement reputation-based management, though.

pwdisswordfishs 2 hours ago||

What does that observation have to do with the topic under the microscope?

stavros 1 hour ago||

> GitHub customers really are willing to do anything besides coming to terms with the reality confronting them: that it might be GitHub (and the GitHub community/userbase) that's the problem.

The community might be a problem, but that doesn't mean it's a big enough problem to move off completely. Whitelisting a few people might be a good enough solution.

zozbot234 5 hours ago|||

GitHub needs to implement eBay-like feedback for contributors. With not only reputation scores, but explanatory comments like "AAAAAAAAAAAAAA++++++++++++ VERY GOOD CONTRIBUTIONS AND EASY TO WORK WITH. WOULD DEFINITELY MERGE THEIR WORK AGAIN!"

zbentley 4 hours ago|||

I know this is a joke, but pretending for a moment that it isn’t: this would immediately result in the rep system being gamed the same way it is on eBay: scam sellers can purchase feedback on cheap or self-shipping auctions and then pivot into defrauding people on high-dollar sales before being banned, rinse, and repeat.

Loughla 5 hours ago||||

The ones I've never understood are: Prompt payment. Great buyer.

I can't check out unless I pay. How is that feedback?

HiPhish 1 hour ago||

I don't know how it is where where you live, but here there are two possibilities I can think of:

- When I buy an item I still have to click a "check out" link to enter my address and actually pay for the item. I could take days after buying the item to click that link. - Some sellers might not accept PayPal, instead after I check out I get the sellers bank information and have to manually wire the money. I could take days after checking out to actually perform the money transfer.

HiPhish 5 hours ago|||

I think merged PRs should be automatically upvoted (if it was bad, why did you merge it?) and closed unmerged PRs should not be able to get upvoted (if it was good, why did you not merge it?).

MarkusQ 4 hours ago||

Intrinsically good, but in conflict with some larger, out of band concern that the contributor could have no way to know about? Upvote to take the sting out of rejection, along with a note along the lines of "Well done, and we would merge is it weren't for our commitment to support xxx systems which are not compatible with yyy. Perhaps refactor as a plugin?"

Also, upvotes and merge decisions may well come from different people, who happen to disagree. This is in fact healthy sometimes.

pixl97 4 hours ago||

>The only bad way I can see this being gamed is if a bunch of buddies get together and merge each other's garbage PR

Ya, I'm just wondering how this system avoids a 51% attack. Simply put there are a fixed number of human contributers, but effectively an infinite number of bot contributers.

larodi 1 hour ago||

After the economy of attention, no things enter the economy of trust.

moogly 8 hours ago||

So you're screwed if you don't have any connections. In that way it's just like meat space.

tristan957 2 hours ago||

Nobody is screwed in the Ghostty project. Simply open a discussion to discuss your idea.

eightnoteight 4 hours ago||

exactly this, verification should always been on the code

if someone fresh wants to contribute, now they will have to network before they can write code

honestly i don't see my self networking just so that i can push my code

I think there are valid ways to increase the outcome, like open source projects codifying the focus areas during each month, or verifying the PRs, or making PRs show proof of working etc,... many ways to deter folks who don't want to meaningfully contribute and simply ai generate and push the effort down the real contributors

ctoth 3 hours ago||

Ah, we have converted a technical problem into a social problem. Historically those are vastly easier to solve, right?

Spam filters exist. Why do we need to bring politics into it? Reminds me of the whole CoC mess a few years back.

Every time somebody talks about a new AI thing the lament here goes:

> BUT THINK OF THE JUNIORS!

How do you expect this system to treat juniors? How do your juniors ever gain experience committing to open source? who vouches for them?

This is a permanent social structure for a transient technical problem.

defen 1 hour ago||

"Juniors" (or anyone besides maintainers) do not fundamentally have a right to contribute to an open source project. Before this system they could submit a PR, but that doesn't mean anyone would look at it. Once you've internalized that reality, the rest flows from there.

WatchDog 1 hour ago||

> Ah, we have converted a technical problem into a social problem.

Surely you mean this the other way around?

Mitchell is trying to address a social problem with a technical solution.

tmvnty 12 hours ago||

Are we seeing forum moderations (e.g., Discourse trust levels^[1]) coming to source code repositories?

[1]: https://blog.discourse.org/2018/06/understanding-discourse-t...

someone_jain_ 20 hours ago||

Hope github can natively integrate something in the platform, a relevant discussion I saw on official forums: https://github.com/orgs/community/discussions/185387

matthewisabel 20 hours ago|

We'll ship some initial changes here next week to provide maintainers the ability to configure PR access as discussed above.

After that ships we'll continue doing a lot of rapid exploration given there's still a lot of ways to improve here. We also just shipped some issues related features here like comment pinning and +1 comment steering [1] to help cut through some noise.

Interested though to see what else emerges like this in the community, I expect we'll see continued experimentation and that's good for OSS.

[1] https://github.blog/changelog/2026-02-05-pinned-comments-on-...

otterley 2 hours ago||

I'm reminded of the old Usenet responses to people claiming to solve the spam problem, so I can't help myself:

    Your solution advocates a
    ( ) technical (X) social ( ) policy-based ( ) forge-based
    approach to solving AI-generated pull requests to open source projects. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws.)
    
    ( ) PR spammers can easily use AI to adapt to detection methods
    ( ) Legitimate non-native English speakers' contributions would be affected
    ( ) Legitimate users of AI coding assistants would be affected
    ( ) It is defenseless against determined bad actors
    ( ) It will stop AI slop for two weeks and then we'll be stuck with it
    (X) Project maintainers don't have time to implement it
    (X) Requires immediate total cooperation from maintainers at once
    (X) False positives would drive away genuine new contributors
    
    Specifically, your plan fails to account for
    (X) Ease of creating new GitHub accounts
    (X) Script kiddies and reputation farmers
    ( ) Armies of LLM-assisted coding tools in legitimate use
    (X) Eternal arms race involved in all detection approaches
    ( ) Extreme pressure on developers to use AI tools
    (X) Maintainer burnout that is unaffected by automated filtering
    ( ) Graduate students trying to pad their CVs
    ( ) The fact that AI will only get better at mimicking humans
    
    and the following philosophical objections may also apply:
    (X) Ideas similar to yours are easy to come up with, yet none have ever
    been shown practical
    (X) Allowlists exclude new contributors
    (X) Blocklists are circumvented in minutes
    ( ) We should be able to use AI tools without being censored
    (X) Countermeasures must work if phased in gradually across projects
    ( ) Contributing to open source should be free and open
    (X) Feel-good measures do nothing to solve the problem
    (X) This will just make maintainer burnout worse
    
    Furthermore, this is what I think about you:
    (X) Sorry dude, but I don't think it would work.
    ( ) This is a stupid idea, and you're a stupid person for suggesting it.
    ( ) Nice try, assh0le! I'm going to find out what project you maintain and
    send you 50 AI-generated PRs!

mmooss 2 hours ago|

> forge-based

mijoharas 3 hours ago|

> The idea is based on the already successful system used by @badlogicgames in Pi. Thank you Mario.

This is from the twitter post referenced above, and he says the same thing in the ghostty issue. Can anyone link to discussion on that or elaborate?

(I briefly looked at the pi repo, and have looked around in the past but don't see any references to this vouching system.)

More comments...