Vouch

Original Article ↗ Hacker News Discussion ↗

Motivation: AI “slop” and maintainer overload

  • Many see LLMs making it trivial to generate plausible but low‑quality PRs, overwhelming reviewers.
  • Concern that GitHub OSS is shifting from a high‑trust space to a low‑trust “slop fest,” driven by resume/reputation farming.
  • Some frame this as a broader “dead internet” / Dune‑style future where humans must reassert primacy over machines.

What Vouch is trying to do

  • Per discussion, it’s basically an allowlist / Web‑of‑Trust stored in-repo: people are “vouched” (trusted) or “denounced” (blocked).
  • Intended as a spam filter on participation (e.g., PRs auto‑closed if not vouched), not as a substitute for code review.
  • Designed to be forge‑agnostic text metadata; GitHub Actions integration is just the first implementation.

Supportive reactions

  • Seen as codifying implicit norms: “only allow code from people I know or who were introduced.”
  • For big, high‑profile projects, raising friction for drive‑by PRs is viewed as a feature, not a bug.
  • Some liken it to firewalls/spam filters, Lobsters invites, Linux’s tree of trusted maintainers, or old killfiles/RBLs.
  • Advocates argue perfect security isn’t required; reducing AI slop and noise is already a win.

Concerns: gatekeeping, social credit, and juniors

  • Fear that newcomers without networks will be “screwed,” recreating real‑world elitism and harming social mobility.
  • Worry about a GitHub “social credit score” or Black Mirror‑style reputation economy, with cross‑project bubbles and cliques.
  • Several note this shifts a hard technical problem (code review) into a harder social one (judging people).
  • Some argue the real issue is GitHub’s social dynamics; moving to simpler forges or stronger per‑PR reputation might be better.

Web of Trust and denouncement skepticism

  • Multiple commenters note WoT failed for PGP and link spam; same gaming, laziness, and update issues likely here.
  • Denounce lists raise fears of mob punishment for “wrongthink,” CoC or political disputes, and possible legal (GDPR/defamation) exposure.
  • Others propose that vouching must carry risk (your reputation tied to those you vouch for), but that also discourages vouching at all.

Alternatives and complements

  • Suggestions include:
    • GitHub‑native contributor feedback/karma (like eBay), with penalties for bad PRs.
    • Stronger content‑based checks: CI, vulnerability scans, reproducible builds, AI‑based PR triage.
    • Monetary friction (PR “deposits” or staking) – widely criticized as inequitable and corruptible.
  • Overall, many appreciate the direction but see Vouch as an experiment with serious potential for abuse and fragmentation.