I don't mean to be a killjoy but "vouching for trusted people" is not a scalable way to build a software ecosystem.

@malwareminigun @coderanger You can't expect to solve all social problems with technical tools. That said, if a group of accounts, all with zero external relationships in the web of trust, mounts an influence campaign to get one of their own members made into a project maintainer it's going to look fishy.

@coderanger I've been thinking for a while now that it might be worth taking another shot at the web-of-trust. Long term, I think it's the only way forwards, but I agree unless it's dead simple to use it'll be impossible to hit critical mass. I think there will need to be some compromises on the theoretical security (TOFU vs key signing parties? verifying social media handles vs verifying government IDs?). If we could share a <128 character code on Mastodon (or Matrix or IRC) that served the same purpose as a GPG pub key, I think it'd be a lot easier to get people started.

I guess what I'm saying is: I recognize that getting a web of trust going is a Herculean task and that it failed once before, but in the absense of other good options I think it's worth considering whether we should take another stab at it having learned our lessons from the past.

@jwz I want to fork and maintain a Linux distro approximately as much as I want to learn how to do my own dentistry at home using only supplies I can find in my junk drawer, and yet *here we are.* I'm going to hold out hope for now that Debian does the right thing here and rejects censorship (as it has done for the last 27 years I've been using it).