Over 3.1 million fake "stars" on GitHub projects used to boost rankings
Over 3.1 million fake "stars" on GitHub projects used to boost rankings
This doesn't surprise me at all... Just like bots in games. Selling a service that benefits another. Its shady, but definitely believable.
Also, what if this is an actual viable way to "market" for an open source project?
Also cybersecurity implications here. Nefarious actors can prop up their evildoings with fake stars and pose as legitimate projects.
my first thought. I usually rely on stars for "trustworthiness" of random projects before running their code.
Ironically an open source project with under 100 stars now seems more trustworthy by default because you can be sure they aren't lying
You can buy any metric on the web. Amazon reviews, YouTube subscribers and likes, X followers, Reddit karma, …. I am not surprised that GitHub stars are one of them.
I almost commented something like "thats extremely overpriced, why dont you set up a raspberry pi to do it for you for free" and then i realized the people who could do that dont need fake stars.
On the one hand, one Raspberry Pi would not really suffice. As @[email protected] argued, you would need legitimate email addresses, which would require either circumventing the antibot measures of providers like Google or setting up your own network of domains and email servers. Besides that, GitHub would (hopefully) notice the barrage of API requests from the same network. To avoid that and make your API requests seem legitimate, you would need infrastructure to spread your requests in time and across networks. You would either build and maintain that infrastructure yourself –which would be expensive for a single star-boosting operation– or, well, pay for the service. That's why these things exist.
On the other hand, although bad programmers might use these services to star-boost their otherwise mediocre code, as you suggest, there are other –at least conceivable, if not yet proven– use cases, such as:
- the promotion of less secure software as part of supply chain attacks, with organizations sticking to vulnerable libraries or frameworks in the erroneous belief that they are more popular and better maintained than alternatives, for example;
- typosquatting; and
- plain malware distribution.
On the Caveat Emptor ("Let the buyer beware") side of things, I look at other metrics well before I rely on stars.
How many contributors does it have? How many active forks? How many pull requests? How many issues are open and how many get solved and how often and how lively are the discussions? When was the last merge? How active is the maintainer?
Stars might as well be facebook likes imo: when used as intended, they didn't say much more than "this is what the majority of people like" (surprise, I'm on lemmy bc I have other priorities than what's popular), now they mean nothing at all.
I am not a programmer. But I have been using github as an end user for years, downloading programs I like and whatnot. Today I realized there are stars on github. Literally never even noticed.
The stars are more important when you're a developer. It indicates interest in the project, and when it's a library you might want to use that translates into how well maintained it might be and what level of official and unofficial support you might get from it.
Other key things to look at are how often are they doing releases and committing changes, how long bugs are left open, if pull requests sit there forever without being merged in etc.
Yeah, this is a pretty good gauge of what an honest star rating should represent.
how is twidium managing to charge so much more?
Their stars are hand crafted from raw virginal pixels by blind monks using only their toes.
What is Twidium's deal? They are the most expensive and take the longest.
Its not good that some of these are instant. I guess they try to make it look organic.
Programming never needed these sorts of social media features in the first place. Do you part by getting your projects off of Microsoft’s social media platform used to try to sell you Copilot AI & take a cut of your donations to projects with Sponsors.
For reference, there is codeberg.org, operated by a German nonprofit and based on the open source Forgejo, among other open alternatives.
I like hub.darcs.net & smeder.ee myself. Git is overrated.
Federated repo hosting website when?
Radicle can do it presently but a lot folks dismissed them since they worked on cryptocurrency stuff independently. Weird thing to be hung up on considering they were separate endeavors, but folks are fickle.
Why a real person would star a project? When I star a project then my GitHub home is littered with activity from that project. I hate that, so I never star anything
you can turn off notifications from starred projects
There is a clear situation in Foss( even more in self hosting) where projects are presented as free open source but they are intended to monetize at the end and use the community help for development.
There's nothing inherently wrong with monetizing FOSS. People gotta eat.
If I understand them correctly, @[email protected]'s point is not that it is wrong to monetize FOSS, but rather that companies increasingly develop open source projects for some time, benefiting from unpaid work in the form of contributions and, perhaps most importantly, starving other projects from both such contributions and funding, only to cynically change the license once they establish a position in their respective ecosystem and lock in enough customers. The last significant instance that I remember is Redis' case, but there seem to be ever more.
This happened in the earlier years of Android. Developers were FOSS until people helped them get the app to a polished state. Then close it and charge money. Make a big push to promote the paid app.
Can you give examples of this? What is the coat to the end user? Hardware, IT-services (VPS, and alike?) or like map providers using OSM data?
Isn't this kinda what the controversy around the ElastiSearch licensing change was about? I think people have had similar frustrations with HashiCorp software, but I don't know the details.
Can we get a nice chart for Upvotes on Reddit costs? Asking for a friend. /s
Also, what if this is an actual viable way to “market” for an open-source project?
I am fortunate enough to not market my stuff:
If somebody finds and can make use of it. Great.
In the other case who cares? Didn't hurt or cost me anything to publish it.
Fake GitHub stares have other implications: Typosquatting is a real issue and fake stars make it more convincing that it is the genuine project.
open collective has a minimum star limit to signup.
But they accepted our project even though we didn't meet it. I always thought it was silly, and was glad they were flexible.
Shocking, a site full of diy programmers and hackers are trying to hack the system. Maybe even just for fun.
Why would it be? Software is good based on it's use and recommendations from real folk, not *s. Many project not on github
But stars equal discoverabiliy, or at least contribute a good chunk to it.
Sure if you browse by github but in my use of the site over the years I go to the repo from the webpage of the project or from another source such as a link from a blog or something.
I never went with a software project from random scrolling. It has no value to me if it doesn't meet a need I have right now.
No contributor is going to be good that doesn't use it.
based on its* use
Yes. You corrected a dyslexic. Well done.
Yeah, I'd argue that the project can be good and not widely used. Do you think that there are projects with real use case and are great open source software and not widely used because its buried under the *s?
It could be a relatively inexpensive way for niche marketing. Especially if the developer has a payment option with the software. Probably a decent way to get the software out in the open for profitability, no?
That is more down to poor marketing. Here on Lemmy or reddit there are big open source communities where you can extol the values of it.
From a pragmatic standpoint, yeah it would accomplish that goal. However, that discounts the intended purpose of the stars, which is to represent an individuals attribution of personal value and trust. They lose significance and become misleading if you can buy them, which holds true even for good software. When we see a github star is should represent someone who has used the software, finds value in it or who respects and trusts the project.
Just trying to play a little devils advocate. Not saying that its ethical to do it, but if morals/ethics don't play a part in the decision, it could prove useful. Besides, I'd imagine that its already being extorted pretty heavily if there's that much competition for sellers, hah.
For anyone interested in reading more on this type of thing, the colloquial term seems to be "SMM panel" where SMM is "social media marketing". EN Wikipedia has nothing of course, but DE has this: https://de.wikipedia.org/wiki/SMM-Panel.
Link doesn't work for me on mobile.
Why would the En version "obviously" have nothing?
Why do you say it's obvious that the English wiki "has nothing"?
Is that to say SMM scams are largely paid for by Germans?
Amazing. Good thing I don’t use GitHub :)