Gentoo Archives: gentoo-project

From: Rich Freeman <rich0@g.o>
To: gentoo-project <gentoo-project@l.g.o>
Subject: Re: [gentoo-project] [RFC] GURU v2, now with reviewed layer
Date: Mon, 04 Feb 2019 18:38:33
In Reply to: Re: [gentoo-project] [RFC] GURU v2, now with reviewed layer by Joonas Niilola
On Mon, Feb 4, 2019 at 1:14 PM Joonas Niilola <juippis@×××××.com> wrote:
> > This could be 'exploited' with a group of friends. By exploited I mean > small inner circles forming, where people just approve their friends > commits without looking at them.
It sounds like you still need to get the 3 points from already-vetted users to get credit towards having a reputation of your own in the proposal. So, a group of users with no reputation could not confer reputation to each other. Otherwise you could have innocent/ignorant users approving each other's work and gaining reputation without knowing what they're doing. Alternatively you could have a malicious user use sock puppets to gain reputation trivially. Of course a malicious user could still gain reputation by making genuine contributions. They would just need to do this with three accounts to have the equivalent of developer access. Of course, by that argument somebody can also maliciously become a developer. I don't think the system has to be bulletproof - it just has to be enough of a barrier so that you don't get a ton of low-effort attacks. My alternate proposal of having users maintian their own trust bits for contributors has the same weakness. Somebody doing enough good work can start slipping in malware. Short of actually verifying identity documents and so on we aren't going to solve that problem. -- Rich