> Indeed, it's relatively impossible without ties to real world identity.
I don't think that's true? The goal of vouch isn't to say "@linus_torvalds is Linus Torvalds" it's to say "@linus_torvalds is a legitimate contributor an not an AI slopper/spammer". It's not vouching for their real world identity, or that they're a good person, or that they'll never add malware to their repositories. It's just vouching for the most basic level of "when this person puts out a PR it's not AI slop".
> Indeed, it's relatively impossible without ties to real world identity.
I don't think that's true? The goal of vouch isn't to say "@linus_torvalds is Linus Torvalds" it's to say "@linus_torvalds is a legitimate contributor an not an AI slopper/spammer". It's not vouching for their real world identity, or that they're a good person, or that they'll never add malware to their repositories. It's just vouching for the most basic level of "when this person puts out a PR it's not AI slop".
That’s not the point.
Point is: when @lt100, @lt101, … , @lt999 all vouch for something, it’s worthless.
That's really easy to clean up, if you maintain the tree of trust. If a parent node gets whacked, all the child nodes do, too.
Real world identity isn't sufficient or necessary to solve that problem.
But surely then a maintainer notices what has happened, and resolves the problem?