Mitchell Hashimoto Launches 'Vouch' to Verify OS Contributors

- Vouch operates on a "web of trust" principle; maintainers can vouch for or denounce contributors, and these trust lists can be shared across projects. This allows a contributor deemed trustworthy on one project to be automatically trusted on another that shares similar values. - The system integrates into repositories via GitHub Actions to check pull requests and automatically close those from unvouched contributors. Maintainers can manage the vouch list through comments on issues or discussions, and all data is stored in a single, version-controlled text file within the repository itself. - Mitchell Hashimoto, the creator of Vouch, is the co-founder of HashiCorp and the mind behind major DevOps tools like Vagrant, Terraform, Packer, Consul, and Vault. He left HashiCorp in 2023 and now primarily works on a new terminal emulator called Ghostty, where Vouch is being put to practical use. - The creation of Vouch is a direct response to the rising problem of "AI slop," where open-source projects are flooded with a high volume of low-quality, AI-generated contributions. This issue has become so significant that GitHub has formally acknowledged the problem and is considering measures as drastic as disabling pull requests entirely. - One analysis of AI-generated pull requests found that only one out of ten is legitimate and meets the required standards for submission. This influx of "plausible nonsense" is eroding social trust and creating an unsustainable review burden for human maintainers. - The problem extends beyond simple code quality to "reputation farming," where autonomous AI agents submit numerous small pull requests across many repositories to build a seemingly legitimate contribution history. One such agent, calling itself "Kai Gritun," opened 103 pull requests across 95 repositories in a matter of days in early February 2026.