Vouch - Hacker News

Posted by chwtutha 1 day ago

Vouch(github.com)

https://x.com/mitchellh/status/2020252149117313349

https://nitter.net/mitchellh/status/2020252149117313349

https://github.com/ghostty-org/ghostty/pull/10559

820 points | 376 commentspage 8

jemfinch 1 day ago|

Is this the return of Advogato?

IshKebab 16 hours ago||

> Who and how someone is vouched or denounced is left entirely up to the project integrating the system.

Feels like making a messaging app but "how messages are delivered and to whom is left to the user to implement".

I think "who and how someone is vouched" is like 99.99% of the problem and they haven't tried to solve it so it's hard to see how much value there is here. (And tbh I doubt you really can solve this problem in a way that doesn't suck.)

vscode-rest 16 hours ago||

Yeah… this code is entirely just a parser for a file format the author invented. Exact same thing could be done as a csv. Sacrificing confugrability for standardization and all that, but… I don’t see the there, there.

Probably the idea is to eventually have these as some sort of public repo where you can merge files from arbitrary projects together? Or inherit from some well known project’s config?

skeeter2020 16 hours ago||

Agree! Real people are not static sets of characteristics, and without a immutable real-world identity this is even harder. It feels like we've just moved the problem from "evaluate code one time" to "continually evaluate a persona that could change owners"

whalesalad 1 day ago||

We got social credit on GitHub before GTA 6.

aatd86 16 hours ago||

Does is overlap with Contributor License Agreement?

quotemstr 16 hours ago||

Fortunately, as long as software is open sourced, forking will remain a viable way to escape overzealous gatekeeping.

readitalready 12 hours ago||

Is this social credit?

treeshateorcs 14 hours ago||

this wouldn't have helped against the xz attack

jen20 14 hours ago|

It's not intended to, though? It's supposed to address the issue of low-effort slop wasting maintainer time, not a well-planned attack.

baq 14 hours ago||

Central karma database next, please. Vouch = upvote, denounce = downvote

skeeter2020 16 hours ago||

Doesn't this just shift the same hard problem from code to people? It may seem easier to assess the "quality" of a person, but I think there are all sorts of complex social dynamics at play, plus far more change over time. Leave it to us nerds to try and solve a human problem with a technical solution...

mjr00 15 hours ago|

> Leave it to us nerds to try and solve a human problem with a technical solution...

Honestly, my view is that this is a technical solution for a cultural problem. Particularly in the last ~10 years, open source has really been pushed into a "corporate dress rehearsal" culture. All communication is expected to be highly professional. Talk to everyone who opens an issue or PR with the respect you would a coworker. Say nothing that might offend anyone anywhere, keep it PG-13. Even Linus had to pull back on his famously virtiolic responses to shitty code in PRs.

Being open and inclusive is great, but bad actors have really exploited this. The proper response to an obviously AI-generated slop PR should be "fuck off", closing the PR, and banning them from the repo. But maintainers are uncomfortable with doing this directly since it violates the corporate dress rehearsal kayfabe, so vouch is a roundabout way of accomplishing this.

zbentley 14 hours ago|||

What on earth makes you think that denouncing a bot PR with stronger language would deter it? The bot does not and cannot care.

If that worked, then there would be an epidemic of phone scammers or email phishers having epiphanies and changing careers when their victims reply with (well deserved) angry screeds.

mjr00 14 hours ago||

I didn't mean the "fuck off" part to be quite verbatim... this ghostty PR[0] is a good example of how this stuff should be handled. Notably: there's no attempt to review or provide feedback--it's instantly recognized as a slop PR--and it's an instant ban from repo.

This is the level of response these PRs deserve. What people shouldn't be doing is treating these as good-faith requests and trying to provide feedback or asking them to refactor, like they're mentoring a junior dev. It'll just fall on deaf ears.

[0] https://github.com/ghostty-org/ghostty/pull/10588

zozbot234 14 hours ago||

Sure, but that pull request is blatantly unreviewable because of how it bundles dozens of entirely unrelated commits together. Just say that and move on: it only takes a one-line comment and it informs potential contributors about what to avoid if any of them is lurking the repo.

jack_pp 13 hours ago|||

One problem with giving any feedback is that it can automatically be used by an agent to make another PR.

zozbot234 13 hours ago||

If they immediately make another low-quality PR that's when you ban them because they're clearly behaving like a bad actor. But providing even trivial, boilerplate feedback like that is an easy way of drawing a bright line for contributors: you're not going to review contributions that are blatantly low-quality, and that's why they must refrain from trying to post raw AI slop.

mjr00 13 hours ago|||

Sounds like we're largely saying the same thing. Open source maintainers should feel empowered to say "nope, this is slop, not reading, bye" and ban you from the repo, without worrying if that seems unprofessional.

zozbot234 13 hours ago||

If you explicitly say "this is unreviewable junk, kthxbye" there's nothing unprofessional about it. But just blaming "AI slop" runs into the obvious issue that most people may be quite unaware that AI will generate unreviewable junk by default, unless it's being very carefully directed by an expert user.

verdverm 15 hours ago||||

> Particularly in the last ~10 years ...

This is maturation, open source being professional is a good sign for the future

zozbot234 15 hours ago|||

I disagree. The problem with AI slop is not so much that it's from AI, but that it's pretty much always completely unreadable and unmaintainable code. So just tell the contributor that their work is not up to standard, and if they persist they will get banned from contributing further. It's their job to refactor the contribution so that it's as easy as possible to review, and if AI is not up to the task this will obviously require human effort.

mjr00 15 hours ago|||

You're giving way too much credit to the people spamming these slop PRs. These are not good faith contributions by people trying to help. They are people trying to get pull requests merged for selfish reasons, whether that's a free shirt or something to put on their resume. Even on the first page of closed ghostty PRs I was able to find some prime slop[0]. It is a huge waste of time for a maintainer to nicely tell people like this they need to refactor. They're not going to listen.

edit; and just to be totally clear this isn't an anti-AI statement. You can still make valid, even good PRs with AI. Mitchell just posted about using AI himself recently[1]. This is about AI making it easy for people to spam low-quality slop in what is essentially a DoS attack on maintainers' attention.

[0] https://github.com/ghostty-org/ghostty/pull/10588

[1] https://mitchellh.com/writing/my-ai-adoption-journey

zozbot234 15 hours ago||

If you can immediately tell "this is just AI slop" that's all the review and "attention" you need; you can close the PR and append a boilerplate message that tells the contributor what to do if they want to turn this into a productive contribution. Whether they're "good faith contributors trying to help" or not is immaterial if this is their first interaction. If they don't get the point and spam the repo again then sure, treat them as bad actors.

michaelt 14 hours ago||

The thing is, the person will use their AI to respond to your boilerplate.

That means you, like John Henry, are competing against a machine at the thing that machine was designed to do.

bpavuk 15 hours ago|||

...and waste valuable time reviewing AI slop? it looks surprisingly plausible, but never integrates with the bigger picture.

danilocesar 14 hours ago|

Wait until he finds out about GPG signing parties in the early 2000s.

More comments...