February 8, 2026

Trust me, bro—now with receipts

Article URL →HN comments →

Vouch

Open-source gets a velvet rope: cheers, fears, and blacklist drama

TLDR: Ghostty launched Vouch, a tool that lets projects require trusted contributors and block denounced users, even sharing trust lists. Commenters split between fears of blacklist politics and a pragmatic “just un‑vouch” stance, asking if this will curb AI spam or ignite guilt-by-association drama.

Open-source just installed a bouncer. Ghostty’s experimental Vouch system lets projects require trusted contributors, auto-close untrusted pull requests (code changes), and even share trust lists across projects—a “web of trust.” Translation: you need someone to say you’re legit before you step onto the dance floor. Cue community drama. One commenter dropped receipts with a link to the previous debate, and the crowd split fast: is this smart crowd control or gatekeeping with a side of witch-hunt? The anti side warns it’s “relatively impossible” to do right without real-world identity, basically calling it a vibes-based blacklist. The pragmatic camp shrugged: you’ll never get perfection, but limit bad actors—especially now that AI can crank out slick-looking nonsense. The spiciest flare-up: a user suggesting it’s “not hard to denounce the tree” of folks tied to a bad actor. That sparked panic over guilt-by-association and drama trees. Supporters countered with a breezy, “Then you just un-vouch them,” painting Vouch as a GitHub bouncer with a clipboard and an undo button. Jokes flew—“Web of Trust or Web of Suspicion?”—but everyone agreed the stakes are softer: if one slip-up gets through, you kick them back out. For now, the velvet rope stays up

Key Points

  • Vouch enforces contributor access based on explicit vouching or denouncing, configurable per project.
  • It provides out-of-the-box GitHub integration via Actions (check-pr, manage-by-discussion, manage-by-issue).
  • The vouch list is a single minimal flat file, parseable with POSIX tools and any language without external libraries.
  • Vouch supports a web-of-trust by importing other projects’ vouch/denounce lists to share trust decisions.
  • The CLI is a Nushell module with integrated help, status checks (exit codes 0/1/2), and commands to add users.

Hottest takes

"relatively impossible without ties to real world identity" — DJBunnies
"not hard to denounce the tree of folks rooted at the original bad actor" — dboon
"Then you would just un-vouch them?" — hobofan

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.