Crazy Idea: PGP-verified deployments 😮

[hesreallyhim]

I was really saddened the other day when I came across a certain user's profile that proudly displayed his github-readme-stats card... Apparently he is an A+ Contributor!! But something stuck out to me... the "status ring" around the letter grade was only half-filled...

hmmm... so I checked out the endpoint where he had deployed his own instance, and no matter whose username I put in... they were A+ Contributors too!! (And, when I stuck his username into the "official" server endpoint, obviously it told a different story.)

I won't waste too much time making fun of this guy, even though he was really rude to me for no reason - the fact that he felt the need to deploy his own fabricated GitHub letter grade is depressing enough on its own... But still, it kinda sucks. As I was poking around other shady denizens of GitHub I found a profile of someone with almost no notable contributions, but who had like 7k followers and followed 50k people...

The reason this matters to me is not because I think it's important to really PROVE that you're better than everyone else if you have an A+ rating or something and therefore we need to police rule-breakers. But the idea that GitHub is turning into some cheap clout-chasing tech version of Instagram really does bum me out. I would like to think that GitHub is, or can be, a place where anyone with any level of interest or skill can get involved in some kind of cool project or another building something with other folks that they'll probably never even meet. So, for example, think about what it means if you're a junior developer and you come on GitHub and you see a bunch of fake profiles with fake followers and fake star ratings and stuff, and you just feel like you're not good enough to get involved. That's why I think this is bad.

That's my argument. So what can you do? Anyone can make an SVG that says that they're a top 1% badass, right? OK, but what if there was some way that maintainers like @anuraghazra and others who maybe have servers that a lot of people use, were able to somehow cryptographically sign the output. I'm not sure what the best solution is - maybe a PGP signature that accompanies the badge image? Maybe a PGP signature that's hidden in the image itself through steganography?? First of all, this is a really cool and fun idea IMO. But to reiterate, the purpose isn't to police people so that people who are A+ contributors can prove they're better than everyone. The point is to discourage this kind of "forgery" because it makes people feel like if they are less than "A" they don't belong here, which is really a shame, and not in keeping with GitHub's Community Guidelines.