• Gork@lemm.ee
    link
    fedilink
    arrow-up
    126
    ·
    10 days ago

    Also cybersecurity implications here. Nefarious actors can prop up their evildoings with fake stars and pose as legitimate projects.

    • aliser@lemmy.world
      link
      fedilink
      arrow-up
      27
      ·
      9 days ago

      my first thought. I usually rely on stars for “trustworthiness” of random projects before running their code.

      • entropicdrift@lemmy.sdf.org
        link
        fedilink
        arrow-up
        2
        ·
        8 days ago

        Ironically an open source project with under 100 stars now seems more trustworthy by default because you can be sure they aren’t lying

  • AItoothbrush@lemmy.zip
    link
    fedilink
    English
    arrow-up
    80
    arrow-down
    10
    ·
    10 days ago

    I almost commented something like “thats extremely overpriced, why dont you set up a raspberry pi to do it for you for free” and then i realized the people who could do that dont need fake stars.

      • AItoothbrush@lemmy.zip
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        1
        ·
        9 days ago

        Automation. You replace the user with a script that does everything. Not that hard. Captchas dont really work anymore with ai, and you can pay people to do it for you for a fraction of a cent instead of the absurd prices listed.

        • theherk@lemmy.world
          link
          fedilink
          arrow-up
          25
          ·
          9 days ago

          But you still need the user accounts. Which must be created and are verified by email. Then you have to generate tokens for them to call the api endpoint to add the star. I’m not saying it isn’t doable, but it would be non-negligible and GitHub is going to squash you back at some point creating all those accounts from one source.

          • dil@lemmy.world
            link
            fedilink
            arrow-up
            2
            ·
            9 days ago

            Right - the cost is your time instead of dollars.

            I don’t like doing stuff, so I give my time an hourly rate of $100. Absolute BEST case scenario (for me) would be that this is a weekend project, so call it 10 hours.

            So my best case break-even point would be 10K stars. Which seems like it’d be more than I’d need?

          • gravitas_deficiency@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            1
            ·
            9 days ago

            But the main point is that good and well-written code doesn’t need this sort of misdirection, nor would the authors generally engage in this sort of thing

            • David J. Shourabi Porcel@lemmy.world
              link
              fedilink
              arrow-up
              1
              ·
              8 days ago

              You seem to imply bad programmers use these services to star-boost their otherwise mediocre code. That might be the case, but there are other –at least conceivable, if not yet proven– use cases for these star-boosting services, such as typosquatting, the promotion of less secure software as part of supply chain attacks (with organizations sticking to vulnerable libraries or frameworks in the erroneous belief that they are more popular and better maintained than alternatives, for example) and plain malware distribution.

              • gravitas_deficiency@sh.itjust.works
                link
                fedilink
                English
                arrow-up
                3
                ·
                8 days ago

                I mean… I was sort of taking “good” code to imply “not malicious”, in addition to it being written well. But yeah, I completely agree, in the context of attack vectors you mention.

    • David J. Shourabi Porcel@lemmy.world
      link
      fedilink
      arrow-up
      2
      ·
      8 days ago

      On the one hand, one Raspberry Pi would not really suffice. As @theherk@lemmy.world argued, you would need legitimate email addresses, which would require either circumventing the antibot measures of providers like Google or setting up your own network of domains and email servers. Besides that, GitHub would (hopefully) notice the barrage of API requests from the same network. To avoid that and make your API requests seem legitimate, you would need infrastructure to spread your requests in time and across networks. You would either build and maintain that infrastructure yourself –which would be expensive for a single star-boosting operation– or, well, pay for the service. That’s why these things exist.

      On the other hand, although bad programmers might use these services to star-boost their otherwise mediocre code, as you suggest, there are other –at least conceivable, if not yet proven– use cases, such as:

      • the promotion of less secure software as part of supply chain attacks, with organizations sticking to vulnerable libraries or frameworks in the erroneous belief that they are more popular and better maintained than alternatives, for example;
      • typosquatting; and
      • plain malware distribution.
      • jagged_circle@feddit.nl
        link
        fedilink
        English
        arrow-up
        7
        arrow-down
        1
        ·
        8 days ago

        I think you’re joking, but if their accounts dont get banned immediately and the stars removed a week after you pay, then their stars are actually the bestest

        • HiddenLayer555@lemmy.ml
          link
          fedilink
          English
          arrow-up
          5
          ·
          edit-2
          8 days ago

          There’s a chance their stars take so long because they might be using click farms to manually generate them which would be harder for spam detection to catch compared to generating stars with bots and hacked accounts, since technically there are actually x many people actually giving you stars, they’re just being paid to do so.

  • phar@lemmy.ml
    link
    fedilink
    arrow-up
    27
    arrow-down
    1
    ·
    9 days ago

    I am not a programmer. But I have been using github as an end user for years, downloading programs I like and whatnot. Today I realized there are stars on github. Literally never even noticed.

    • NotMyOldRedditName@lemmy.world
      link
      fedilink
      arrow-up
      17
      ·
      9 days ago

      The stars are more important when you’re a developer. It indicates interest in the project, and when it’s a library you might want to use that translates into how well maintained it might be and what level of official and unofficial support you might get from it.

      Other key things to look at are how often are they doing releases and committing changes, how long bugs are left open, if pull requests sit there forever without being merged in etc.

      • lemmyingly@lemm.ee
        link
        fedilink
        arrow-up
        4
        ·
        9 days ago

        And if the developers were to give up on the project, how likely it would be for someone to fork it and continue.

        • logging_strict@lemmy.ml
          link
          fedilink
          arrow-up
          1
          arrow-down
          1
          ·
          8 days ago

          An experienced developer could easily step in. The hold back is getting compensated for the effort rather than being forced to turn tricks on the local street corner (aka work a job).

          This is why devs are walking away.

          Companies offering jobs to maintainers rather than directing funding at them is nonsense. Gov’ts and companies will wake up as cracks start snowballing in their tech stack.

        • logging_strict@lemmy.ml
          link
          fedilink
          arrow-up
          1
          ·
          8 days ago

          That’s unfair. Throwing out FUD doesn’t make it true.

          Why be in a rush to judge? Might wanna watch some projects which have used this tactic.

          Might be legitimate projects are willing to do whatever to attract eye balls.

          Just for shiats and giggles, keep an open mind.

        • NotMyOldRedditName@lemmy.world
          link
          fedilink
          arrow-up
          1
          ·
          8 days ago

          Closed PRs and Closed issues?

          What if it’s a side project with 1 star, 0 issues (because no one made any) and no PRs because no ones done work on it?

          • B0rax@feddit.org
            link
            fedilink
            arrow-up
            2
            ·
            8 days ago

            Really does depend on what we are talking about. Some random software that is not critical? Sure. Some system breaking library that would take down my servers in case of malfunction? No bueno.

            • logging_strict@lemmy.ml
              link
              fedilink
              arrow-up
              1
              ·
              8 days ago

              Throwing out FUD.

              The stars reflect the marketing effort put in. Has no correlation to the software quality or whether it’s critical or not.

          • logging_strict@lemmy.ml
            link
            fedilink
            arrow-up
            1
            ·
            8 days ago

            Initially, the stats will reflect amount of marketing effort put into the project.

            The marketing will attract both users and a flow of issues and PRs.

            I’ve done zero marketing for my packages. And it shows ;-)

          • Dnb@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            1
            ·
            7 days ago

            More so if spme software had dozens or hundreds of open issues/PRs for months that never get looked at I’ll look elsewhere

            Don’t want unstable dependencies

  • geography082@lemm.ee
    link
    fedilink
    arrow-up
    22
    arrow-down
    2
    ·
    9 days ago

    There is a clear situation in Foss( even more in self hosting) where projects are presented as free open source but they are intended to monetize at the end and use the community help for development.

      • David J. Shourabi Porcel@lemmy.world
        link
        fedilink
        arrow-up
        4
        ·
        edit-2
        8 days ago

        If I understand them correctly, @geography082@lemm.ee’s point is not that it is wrong to monetize FOSS, but rather that companies increasingly develop open source projects for some time, benefiting from unpaid work in the form of contributions and, perhaps most importantly, starving other projects from both such contributions and funding, only to cynically change the license once they establish a position in their respective ecosystem and lock in enough customers. The last significant instance that I remember is Redis’ case, but there seem to be ever more.

    • FlappyBubble@lemmy.ml
      link
      fedilink
      arrow-up
      4
      arrow-down
      1
      ·
      9 days ago

      Can you give examples of this? What is the coat to the end user? Hardware, IT-services (VPS, and alike?) or like map providers using OSM data?

        • blackfire@lemmy.world
          link
          fedilink
          arrow-up
          4
          ·
          9 days ago

          In my opinion that was a little different. The enterprise was using the software basically, contributing nothing but selling services around it. The licence was meant to force them to help out monetarily from what they were making off it. But rather than do that Mason forked it and now have to support their own imp with their own devs.

          • D_Air1@lemmy.ml
            link
            fedilink
            arrow-up
            1
            ·
            8 days ago

            Which is just as good in my opinion if I am understanding the situation correctly.

    • conicalscientist@lemmy.world
      link
      fedilink
      arrow-up
      2
      ·
      8 days ago

      This happened in the earlier years of Android. Developers were FOSS until people helped them get the app to a polished state. Then close it and charge money. Make a big push to promote the paid app.

  • B0rax@feddit.org
    link
    fedilink
    arrow-up
    17
    ·
    8 days ago

    You can buy any metric on the web. Amazon reviews, YouTube subscribers and likes, X followers, Reddit karma, …. I am not surprised that GitHub stars are one of them.

  • BaumGeist@lemmy.ml
    link
    fedilink
    arrow-up
    15
    ·
    8 days ago

    On the Caveat Emptor (“Let the buyer beware”) side of things, I look at other metrics well before I rely on stars.

    How many contributors does it have? How many active forks? How many pull requests? How many issues are open and how many get solved and how often and how lively are the discussions? When was the last merge? How active is the maintainer?

    Stars might as well be facebook likes imo: when used as intended, they didn’t say much more than “this is what the majority of people like” (surprise, I’m on lemmy bc I have other priorities than what’s popular), now they mean nothing at all.

  • CrypticCoffee@lemmy.mlM
    link
    fedilink
    arrow-up
    14
    arrow-down
    2
    ·
    10 days ago

    Why would it be? Software is good based on it’s use and recommendations from real folk, not *s. Many project not on github

      • JoeKrogan@lemmy.world
        link
        fedilink
        arrow-up
        10
        arrow-down
        1
        ·
        10 days ago

        Sure if you browse by github but in my use of the site over the years I go to the repo from the webpage of the project or from another source such as a link from a blog or something.

      • CrypticCoffee@lemmy.mlM
        link
        fedilink
        arrow-up
        7
        arrow-down
        1
        ·
        10 days ago

        I never went with a software project from random scrolling. It has no value to me if it doesn’t meet a need I have right now.

        No contributor is going to be good that doesn’t use it.

    • 💭 ᴍɪɴʏᴀᴇɴ@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      2
      ·
      10 days ago

      Yeah, I’d argue that the project can be good and not widely used. Do you think that there are projects with real use case and are great open source software and not widely used because its buried under the *s?

      It could be a relatively inexpensive way for niche marketing. Especially if the developer has a payment option with the software. Probably a decent way to get the software out in the open for profitability, no?

      • CrypticCoffee@lemmy.mlM
        link
        fedilink
        arrow-up
        4
        ·
        10 days ago

        That is more down to poor marketing. Here on Lemmy or reddit there are big open source communities where you can extol the values of it.

      • paradox2011@lemmy.ml
        link
        fedilink
        arrow-up
        4
        ·
        10 days ago

        From a pragmatic standpoint, yeah it would accomplish that goal. However, that discounts the intended purpose of the stars, which is to represent an individuals attribution of personal value and trust. They lose significance and become misleading if you can buy them, which holds true even for good software. When we see a github star is should represent someone who has used the software, finds value in it or who respects and trusts the project.

      • 💭 ᴍɪɴʏᴀᴇɴ@lemmy.mlOP
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        10 days ago

        Just trying to play a little devils advocate. Not saying that its ethical to do it, but if morals/ethics don’t play a part in the decision, it could prove useful. Besides, I’d imagine that its already being extorted pretty heavily if there’s that much competition for sellers, hah.

    • glans [it/its]@hexbear.net
      link
      fedilink
      English
      arrow-up
      3
      ·
      9 days ago

      Well for me personally if I am seeking an application to solve a problem and there are 2 comparable options which are on github, I will first try the one with more stars. Especially if there is a large discrepancy.

      When I compare a github vs a non-github project I take into consideration that the other code forge has fewer users, and also I generally prefer devs who take the initiative to get off github. So I will usually give them a go unless the project is too incomplete/stale/inactive.

  • EmilieEvans@lemmy.ml
    link
    fedilink
    arrow-up
    9
    ·
    9 days ago

    Also, what if this is an actual viable way to “market” for an open-source project?

    I am fortunate enough to not market my stuff:

    If somebody finds and can make use of it. Great.

    In the other case who cares? Didn’t hurt or cost me anything to publish it.

    Fake GitHub stares have other implications: Typosquatting is a real issue and fake stars make it more convincing that it is the genuine project.

  • toastal@lemmy.ml
    link
    fedilink
    arrow-up
    10
    arrow-down
    1
    ·
    8 days ago

    Programming never needed these sorts of social media features in the first place. Do you part by getting your projects off of Microsoft’s social media platform used to try to sell you Copilot AI & take a cut of your donations to projects with Sponsors.

        • David J. Shourabi Porcel@lemmy.world
          link
          fedilink
          arrow-up
          1
          ·
          8 days ago

          Git is overrated.

          That’s interesting to read; I wasn’t even aware of the existence of Darcs — or any other alternative to git supposedly worth considering, for that matter. Would you elaborate on it?

          • toastal@lemmy.ml
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            7 days ago

            Pijul is also worth looking at.

            Fundamentally anything with a snapshot-based model is reliant on patch order mattering. As such you always end up with some centralized server. Pijul & Darcs are based on Patch Theory that says if Patch B is applied before or after Patch A assuming there is no conflict or dependence, it should not matter in a communicative way—that is to say the 1 + 2 ≡ 2 + 1. You can avoid a series of conflicts & better support a distibuted/decentralized development model if the order doesn’t matter.

  • Donkter@lemmy.world
    link
    fedilink
    arrow-up
    10
    arrow-down
    1
    ·
    10 days ago

    Shocking, a site full of diy programmers and hackers are trying to hack the system. Maybe even just for fun.

  • Magnetic_dud@discuss.tchncs.de
    link
    fedilink
    arrow-up
    5
    arrow-down
    1
    ·
    8 days ago

    Why a real person would star a project? When I star a project then my GitHub home is littered with activity from that project. I hate that, so I never star anything