I see one big difference: with email it was always about sender reputation based on email servers (IPs), maybe about domains. But never about individual users. It's the organizations running the email server, who make sure users behave. So they don't get blacklisted and lose sending privileges for hundreds or thousands of users.
For PRs/issues this is not applicable.
Not necessarily. Orgs exist in GitHub, and it seems reasonable that if the $BIGCORP org limits membership to employees, you can automatically trust all members of that org. Because this way, if one steps out of line, you have both an escalation path (contact admins) and a stick (revoke trust in entire org).
Allowing contributions only from big tech companies sounds ideologically questionable from free/libre software movement perspective, and it emboldens decisions which go against the user's interests, such as removing manifestv2 in Chromium.
Op said nothing about only allowing corporations. Simply stated that one path to allowing large swaths of users without having to approve every single individual user is to trust all users of certain orgs by default.
Presumably you would still allow individual contributions but with restrictions unless someone has vouched for them or some other gating factor.
The thing is, it becomes a slippery slope. It's "corp accounts are pre vouched today", "non corp accounts are temporarily suspended for a few days during some downtime", to "we've decided to only allow corp accounts going forward".
Where does the frog stop getting boiled?
I'm pretty sure decimalenough was talking about having the project structured in an org and only allow org members to contribute, not to automatically allow contributions from people that are members of a completely unrelated, corporate-managed org like google.
I am genuinely baffled by how you could possibly parse my comment as suggesting we allow "only" big tech companies.
Because that's the only meaningful interpretation of your suggestion.
Big corp accounts are pre-vouched. And it will be mostly their responsibility to vouch for other accounts.
It doesn’t have to just be companies. It could be some kind of guild with standards and application criteria. That group could vet members and kick them out for posting slop code.
That's exactly what I thought, I don't know why that's not a thing yet.
I had that idea too. Maybe that's the future of OSS development.
As a $BIGCORP member I don't think this would be a great solution. I suspect there are plenty of vibe coding PR spammers that work for my company. And the admins of the GitHub org would not really care, making it easy for staff to contribute to third party projects is nowhere near their top priority (and policing the behaviour of their org members outside of org-owned repos is not in their mandate even if they wanted to).
[dead]