zlacker

[return to "Tracking the Fake GitHub Star Black Market"]
1. woodru+X91[view] [source] 2023-03-18 18:00:25
>>kaeruc+(OP)
Things like this are part of why I cringe when I see supply chain analysis/security companies include “popularity” in their criticality metrics: the relationship between public popularity signals (like GitHub stars) and criticality is weak, at best.
◧◩
2. andrew+wa1[view] [source] 2023-03-18 18:03:26
>>woodru+X91
In my experience, it's actually a great signal. That's why so many people rely on it. The distribution of GitHub stars is an extreme power law.[1] Stargazer thresholds are used by maintainers to make decisions on including projects for different purposes from dependency management to package manager maintainers deciding to list software by name.[2]

[1]: https://github.com/andrewmcwattersandco/github-statistics

[2]: https://github.com/Homebrew/brew/blob/master/docs/Acceptable...

◧◩◪
3. woodru+je1[view] [source] 2023-03-18 18:28:01
>>andrew+wa1
Selection suitability and criticality are different metrics. The former is what Homebrew uses, as a way to lessen maintainer load and prevent inclusion in Homebrew becoming its own quality signal. The latter is what I’ve seen supply chain companies provide: an implication that a project is somehow critical or essential to the overall ecosystem because it has so-and-so many stars.

That first use is not unreasonable, in my opinion. The second one is questionable, at best.

[go to top]