Discussion · BT Free Social

Discussion

AI eliminated the natural barrier to entry that let OSS projects trust by default. People told me to do something rather than just complain. So I did. Introducing Vouch: explicit trust management for open source. Trusted people vouch for others. https://github.com/mitchellh/vouch

The idea is simple: Unvouched users can't contribute to your projects. Very bad users can be explicitly "denounced", effectively blocked. Users are vouched or denounced by contributors via GitHub issue or discussion comments or via the CLI.

Integration into GitHub is as simple as adopting the published GitHub actions. Done. Additionally, the system itself is generic to forges and not tied to GitHub in any way.

Who and how someone is vouched or denounced is up to the project. I'm not the value police for the world. Decide for yourself what works for your project and your community.

All of the data is stored in a single flat text file in your own repository that can be easily parsed by standard POSIX tools or mainstream languages with zero dependencies.

My hope is that eventually projects can form a web of trust so that projects with shared values can share their vouch lists with each other (automatically) so vouching or denouncing a person in one project has ripple effects through to other projects.

The idea is based on the already successful system used by @badlogicgames in Pi. Thank you Mario.

Ghostty will be integrating this imminently.

GitHub

GitHub - mitchellh/vouch: A contributor trust management system based on explicit vouches to participate.

A contributor trust management system based on explicit vouches to participate. - mitchellh/vouch

Giacomo Tesio

@giacomo@snac.tesio.it replied · 3 days ago

@mitchellh@hachyderm.io

#AI eliminated the natural barrier to entry that let OSS projects trust by default.

To me, this reads:

Corporate automation eliminated the natural barrier to entry that let #OSS projects trust by default.

I'm not much sure what you meant with "trust by default", but for sure #opensource projects never let unreviewed code in from strangers.

That what forks were for.

Now, since your automation won't prevent forks, it looks either pointless or just divisive.

I mean, forks are good!

But are you sure that automated contributor managenent can solve automated theft and regurgitation by corporations?

Who and how someone is vouched or denounced is up to the project. I'm not the value police for the world.

If it's your code that executes the "flat text file" in the repository, you are in control.

If your project spreads, you would be in the position to execute a wide variety of #SupplyChain and #DDoS attacks.

Even if you wouldn't, anybody taking control of your repo could, turning such repo into a high-value target.

You should really take effective #security measure to avoid this outcome.

For example you could force downstream project to fork and adapt your scripts by only ever pushing on your repo slightly broken code.

Eg, you could apply before each push an easy to invert

find vouch/|grep nu|xargs -n 1 sed -i 's/use/!!!BrOkEN!!!/g'

This way no one coukd directly use your GitHub actions without reviewing them and nobody would need to #trust you or your security practices.

____
Also, #GitHub?
The reign of #CopyALot?
I guess projects still there face no trust collapse in AI contributions and in contributing to AI.

@driggy@mastodon.gamedev.place

PKs Powerfromspace1

@Powerfromspace1@mstdn.social replied · 3 days ago

@giacomo @mitchellh @driggy thanks 🙏

Giacomo Tesio

@giacomo@snac.tesio.it replied · 3 days ago

@Powerfromspace1@mstdn.social

You are welcome!

Unfortunately I've just been informed that I was blocked a while ago by hachyderm.io's admin (a #Google employee if I understood correctly) so it's unlikely @mitchellh@hachyderm.io will read my #security advices.

Feel free to point him to the post through its direct url if you think they might be useful https://snac.tesio.it/giacomo/p/1770539827.267986
@driggy@mastodon.gamedev.place

Madagascar_Sky

@Madagascar_Sky@mastodon.social replied · 3 days ago

@mitchellh

Hey @cstross, look, accelerando's trust network is here!

Charlie Stross

@cstross@wandering.shop replied · 3 days ago

@Madagascar_Sky @mitchellh Yes? I think I lifted that from either Bruce Sterling or Cory Doctorow. (Probably Bruce. "Maneki Neko".)

Scott Francis

@darkuncle@infosec.exchange replied · 3 days ago

@mitchellh reminds me of early PGP Web of Trust days and keysigning parties

Mitchell Hashimoto

@mitchellh@hachyderm.io replied · 3 days ago

@darkuncle That was exactly the inspiration.

Scott Francis

@darkuncle@infosec.exchange replied · 3 days ago

@mitchellh this seems like it would take off much more easily without the requirement for offline in-person key review and comparison too (one of the big drags on adoption for PGP Web of Trust). And without the invariably awkward "parties" :)

BT Free Social

BT Free is a non-profit organization founded by @ozoned@btfree.social . It's goal is for digital privacy rights, advocacy and consulting. This goal will be attained by hosting open platforms to allow others to seamlessly join the Fediverse on moderated instances or by helping others join the Fediverse.

BT Free Social: About · Code of conduct · Privacy ·

Bonfire social · 1.0.1 no JS en

Automatic federation enabled