- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
This doesn’t surprise me at all… Just like bots in games. Selling a service that benefits another. Its shady, but definitely believable.
Also, what if this is an actual viable way to “market” for an open source project?
You must log in or register to comment.
You can buy any metric on the web. Amazon reviews, YouTube subscribers and likes, X followers, Reddit karma, …. I am not surprised that GitHub stars are one of them.
Also cybersecurity implications here. Nefarious actors can prop up their evildoings with fake stars and pose as legitimate projects.
my first thought. I usually rely on stars for “trustworthiness” of random projects before running their code.
Ironically an open source project with under 100 stars now seems more trustworthy by default because you can be sure they aren’t lying
On the Caveat Emptor (“Let the buyer beware”) side of things, I look at other metrics well before I rely on stars.
How many contributors does it have? How many active forks? How many pull requests? How many issues are open and how many get solved and how often and how lively are the discussions? When was the last merge? How active is the maintainer?
Stars might as well be facebook likes imo: when used as intended, they didn’t say much more than “this is what the majority of people like” (surprise, I’m on lemmy bc I have other priorities than what’s popular), now they mean nothing at all.
I am not a programmer. But I have been using github as an end user for years, downloading programs I like and whatnot. Today I realized there are stars on github. Literally never even noticed.
The stars are more important when you’re a developer. It indicates interest in the project, and when it’s a library you might want to use that translates into how well maintained it might be and what level of official and unofficial support you might get from it.
Other key things to look at are how often are they doing releases and committing changes, how long bugs are left open, if pull requests sit there forever without being merged in etc.
And if the developers were to give up on the project, how likely it would be for someone to fork it and continue.
An experienced developer could easily step in. The hold back is getting compensated for the effort rather than being forced to turn tricks on the local street corner (aka work a job).
This is why devs are walking away.
Companies offering jobs to maintainers rather than directing funding at them is nonsense. Gov’ts and companies will wake up as cracks start snowballing in their tech stack.
Ya, that’s a really good point as well.
If you’re trying to peddle malware then it’s a way to fake popularity
That’s unfair. Throwing out FUD doesn’t make it true.
Why be in a rush to judge? Might wanna watch some projects which have used this tactic.
Might be legitimate projects are willing to do whatever to attract eye balls.
Just for shiats and giggles, keep an open mind.
I was pointing out a use case
Yeah, this is a pretty good gauge of what an honest star rating should represent.
Tbh I never look at stars, but do at prs and issues
Closed PRs and Closed issues?
What if it’s a side project with 1 star, 0 issues (because no one made any) and no PRs because no ones done work on it?
More so if spme software had dozens or hundreds of open issues/PRs for months that never get looked at I’ll look elsewhere
Don’t want unstable dependencies
Really does depend on what we are talking about. Some random software that is not critical? Sure. Some system breaking library that would take down my servers in case of malfunction? No bueno.
Throwing out FUD.
The stars reflect the marketing effort put in. Has no correlation to the software quality or whether it’s critical or not.
Initially, the stats will reflect amount of marketing effort put into the project.
The marketing will attract both users and a flow of issues and PRs.
I’ve done zero marketing for my packages. And it shows ;-)
I almost commented something like “thats extremely overpriced, why dont you set up a raspberry pi to do it for you for free” and then i realized the people who could do that dont need fake stars.
How would the raspberry help? It is accounts needed.
Automation. You replace the user with a script that does everything. Not that hard. Captchas dont really work anymore with ai, and you can pay people to do it for you for a fraction of a cent instead of the absurd prices listed.
But you still need the user accounts. Which must be created and are verified by email. Then you have to generate tokens for them to call the api endpoint to add the star. I’m not saying it isn’t doable, but it would be non-negligible and GitHub is going to squash you back at some point creating all those accounts from one source.
Right - the cost is your time instead of dollars.
I don’t like doing stuff, so I give my time an hourly rate of $100. Absolute BEST case scenario (for me) would be that this is a weekend project, so call it 10 hours.
So my best case break-even point would be 10K stars. Which seems like it’d be more than I’d need?
But the main point is that good and well-written code doesn’t need this sort of misdirection, nor would the authors generally engage in this sort of thing
You seem to imply bad programmers use these services to star-boost their otherwise mediocre code. That might be the case, but there are other –at least conceivable, if not yet proven– use cases for these star-boosting services, such as typosquatting, the promotion of less secure software as part of supply chain attacks (with organizations sticking to vulnerable libraries or frameworks in the erroneous belief that they are more popular and better maintained than alternatives, for example) and plain malware distribution.
I mean… I was sort of taking “good” code to imply “not malicious”, in addition to it being written well. But yeah, I completely agree, in the context of attack vectors you mention.
On the one hand, one Raspberry Pi would not really suffice. As @[email protected] argued, you would need legitimate email addresses, which would require either circumventing the antibot measures of providers like Google or setting up your own network of domains and email servers. Besides that, GitHub would (hopefully) notice the barrage of API requests from the same network. To avoid that and make your API requests seem legitimate, you would need infrastructure to spread your requests in time and across networks. You would either build and maintain that infrastructure yourself –which would be expensive for a single star-boosting operation– or, well, pay for the service. That’s why these things exist.
On the other hand, although bad programmers might use these services to star-boost their otherwise mediocre code, as you suggest, there are other –at least conceivable, if not yet proven– use cases, such as:
- the promotion of less secure software as part of supply chain attacks, with organizations sticking to vulnerable libraries or frameworks in the erroneous belief that they are more popular and better maintained than alternatives, for example;
- typosquatting; and
- plain malware distribution.
how is twidium managing to charge so much more?
Their stars are hand crafted from raw virginal pixels by blind monks using only their toes.
Programming never needed these sorts of social media features in the first place. Do you part by getting your projects off of Microsoft’s social media platform used to try to sell you Copilot AI & take a cut of your donations to projects with Sponsors.
For reference, there is codeberg.org, operated by a German nonprofit and based on the open source Forgejo, among other open alternatives.
I like hub.darcs.net & smeder.ee myself. Git is overrated.
Pijul is also worth looking at.
Fundamentally anything with a snapshot-based model is reliant on patch order mattering. As such you always end up with some centralized server. Pijul & Darcs are based on Patch Theory that says if Patch B is applied before or after Patch A assuming there is no conflict or dependence, it should not matter in a communicative way—that is to say the 1 + 2 ≡ 2 + 1. You can avoid a series of conflicts & better support a distibuted/decentralized development model if the order doesn’t matter.
Federated repo hosting website when?
Radicle can do it presently but a lot folks dismissed them since they worked on cryptocurrency stuff independently. Weird thing to be hung up on considering they were separate endeavors, but folks are fickle.
What is Twidium’s deal? They are the most expensive and take the longest.
Obviously their stars are the bestest
Got to make it look organic and viral.
I think you’re joking, but if their accounts dont get banned immediately and the stars removed a week after you pay, then their stars are actually the bestest
There’s a chance their stars take so long because they might be using click farms to manually generate them which would be harder for spam detection to catch compared to generating stars with bots and hacked accounts, since technically there are actually x many people actually giving you stars, they’re just being paid to do so.
Its not good that some of these are instant. I guess they try to make it look organic.
Why a real person would star a project? When I star a project then my GitHub home is littered with activity from that project. I hate that, so I never star anything
you can turn off notifications from starred projects
There is a clear situation in Foss( even more in self hosting) where projects are presented as free open source but they are intended to monetize at the end and use the community help for development.
There’s nothing inherently wrong with monetizing FOSS. People gotta eat.
If I understand them correctly, @[email protected]’s point is not that it is wrong to monetize FOSS, but rather that companies increasingly develop open source projects for some time, benefiting from unpaid work in the form of contributions and, perhaps most importantly, starving other projects from both such contributions and funding, only to cynically change the license once they establish a position in their respective ecosystem and lock in enough customers. The last significant instance that I remember is Redis’ case, but there seem to be ever more.
This happened in the earlier years of Android. Developers were FOSS until people helped them get the app to a polished state. Then close it and charge money. Make a big push to promote the paid app.
Can you give examples of this? What is the coat to the end user? Hardware, IT-services (VPS, and alike?) or like map providers using OSM data?
Isn’t this kinda what the controversy around the ElastiSearch licensing change was about? I think people have had similar frustrations with HashiCorp software, but I don’t know the details.
In my opinion that was a little different. The enterprise was using the software basically, contributing nothing but selling services around it. The licence was meant to force them to help out monetarily from what they were making off it. But rather than do that Mason forked it and now have to support their own imp with their own devs.
Which is just as good in my opinion if I am understanding the situation correctly.
Can we get a nice chart for Upvotes on Reddit costs? Asking for a friend. /s
Also, what if this is an actual viable way to “market” for an open-source project?
I am fortunate enough to not market my stuff:
If somebody finds and can make use of it. Great.
In the other case who cares? Didn’t hurt or cost me anything to publish it.
Fake GitHub stares have other implications: Typosquatting is a real issue and fake stars make it more convincing that it is the genuine project.
open collective has a minimum star limit to signup.
But they accepted our project even though we didn’t meet it. I always thought it was silly, and was glad they were flexible.
Shocking, a site full of diy programmers and hackers are trying to hack the system. Maybe even just for fun.
Amazing. Good thing I don’t use GitHub :)
