zlacker

Tracking the Fake GitHub Star Black Market

submitted by kaeruc+(OP) on 2023-03-18 07:42:34 | 489 points 284 comments
[view article] [source] [go to bottom]

NOTE: showing posts with links only show all posts
◧◩◪
5. wodeno+x8[view] [source] [discussion] 2023-03-18 09:26:17
>>supriy+Y6
Never heard of swyx.

Self proclaimed GitHub star. But still only 5000 followers and projects max out at 8000 stars.

I don’t know what I had expected but I think it was bigger numbers than that.

https://github.com/sw-yx

◧◩◪
10. rozenm+N9[view] [source] [discussion] 2023-03-18 09:43:30
>>supriy+Y6
I didn't even know Shawn had a popular GitHub, though he has written about the meta-creator ceiling before: https://www.swyx.io/meta-creator-ceiling
◧◩
29. azu+Ob[view] [source] [discussion] 2023-03-18 10:07:20
>>siva7+H6
https://press.stripe.com/working-in-public

The book presents similar stories.

◧◩◪
36. Azadza+Ec[view] [source] [discussion] 2023-03-18 10:20:58
>>mapmel+Fb
>GitHub gradually removes these users as they catch up to them

With collaterals too I presume [1]. I guess I've been the victim of some automated system. They have banned my account without warning or explanation and they've been ignoring my support tickets for about 2 months!

[1]: https://news.ycombinator.com/item?id=34817163

57. Der_Ei+Uf[view] [source] 2023-03-18 11:03:04
>>kaeruc+(OP)
I wrote a tiny tool which calculates the "brightness" score of a github repo based on calculating the total star count of the people who starred your repo. It will automatically detect these kinds of scams (assuming that it's mostly low star bots giving the stars).

https://github.com/Hellisotherpeople/Bright

Edit: I love clustering, I really do, but I think that techniques like the one I am using are far superior to unsupervised learning for trying to detect fake accounts in this context.

◧◩◪
92. ChrisK+Dm[view] [source] [discussion] 2023-03-18 12:12:58
>>siva7+za
I just tried to find a FOSS tool for converting MS Outlook .pst file to .mbox.

I first tried Google; the results are dominating by commercial crap.

Then I tried the "google reddit" trick to try and find some real people's opinions... but look at all the blatantly bullshit comments on this Reddit thread; https://www.reddit.com/r/Thunderbird/comments/ae4cdg/good_ps...

---

(if anyone is wondering, the best option for Windows is to use 'readpst' command via WSL. Comes in the 'pst-utils' package).

96. pengui+an[view] [source] 2023-03-18 12:17:13
>>kaeruc+(OP)
My ex-employer used Github stars in their job description and during recruitement pitches. They regularly encouraged employees to go and star the firm's repos in Github. In all-hands meetings, the Github stars were one of the items they reported: "we've surpassed X in Github stars" (applause).

(The firm X, however, is a more well-known name than my ex-employer was).

A while ago, I listened to a Freakonomics episode where it was discussed that businesses use proxies to both boost their image and to cover up their incompetency. The example was that a lot of businesses chose fancy names starting with A (like, AAA plumbers), so that they get listed first in business directories. These firms were later proven to be very incompetent and/or even fraudulent.

The relevant paper, also cited in the episode, was "A Business by Any Other Name": https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1667550.

◧◩◪◨
128. philbo+au[view] [source] [discussion] 2023-03-18 13:19:41
>>throw_+Hf
> How do you evaluate 3rd party dependencies?

I actually blogged my answer to that exact question recently (shameless plug):

https://philbooth.me/blog/how-to-evaluate-dependencies

◧◩
132. rwalla+Ru[view] [source] [discussion] 2023-03-18 13:24:32
>>perihe+ca
This is the first time I've ever posted an XKCD link here, but I think the occasion calls for it.

https://xkcd.com/810/

◧◩
143. hoofhe+Nz[view] [source] [discussion] 2023-03-18 14:07:11
>>siva7+H6
Taylor Otwell lol.. He has some pretty dope cars in his garage and is doing well.

I follow him on GitHub, and pay for some of his products. I have been heavily influenced by his coding styles, and the tools he uses. His code just looks so tight and perfect. He writes his stuff so open ended and reusable that he basically writes a method once, and then reuses it across numerous projects.

Look at this tight code: https://github.com/laravel/framework/blob/10.x/src/Illuminat...

I’d say that Adam Wathan is rapidly growing his influence as well, and is probably doing alright too.

◧◩
159. Spring+iE[view] [source] [discussion] 2023-03-18 14:46:45
>>yla92+Aa
After that post on HN months ago[1] where users discovered OAuth permissions for unrelated things being used/abused to star projects without their knowledge this news of buying stars didn't come as a surprise.

It's unfortunate as I've seen stars used as a metric of trustworthiness in general user discussions.

[1] https://news.ycombinator.com/item?id=33917962

◧◩◪◨⬒
164. Kelami+iG[view] [source] [discussion] 2023-03-18 15:02:16
>>jmclnx+iz
They don't take a fee from what I read about it.

> https://docs.github.com/en/sponsors/sponsoring-open-source-c...

> GitHub Sponsors does not charge any fees for sponsorships from personal accounts, so 100% of these sponsorships go to the sponsored developer or organization. The 10% fee for sponsorships from organizations is waived during the beta. For more information, see "About billing for GitHub Sponsors."

167. franci+6H[view] [source] 2023-03-18 15:08:50
>>kaeruc+(OP)
I wrote on this topic a while ago; experimenting I found out you can basically change the repos names and keep the stars; this wouldn't work if you use the repo as issue tracker or PR tracker, since the history would all be broken, but if it's pretty much just the code it's easy to swap the star count between two repos:

https://francisco.io/blog/transferring-github-stars/

◧◩◪
184. shagie+fO[view] [source] [discussion] 2023-03-18 15:58:43
>>moneyw+VL
Not sure if this is it, but 552. Is Google Getting Worse has the 'AAA Plumbers' in it.

https://freakonomics.com/podcast/is-google-getting-worse/

◧◩◪◨⬒
205. tbragi+JT[view] [source] [discussion] 2023-03-18 16:32:00
>>adamgo+hu
Agreed that marketing yourself is not toxic. I follow "swyx" on Twitter and find his insight valuable, and so do a lot of my peers. Btw, looks like his Github profile has not been updated for some time - he's no longer Head of DX at Airbyte and is now an independent consultant. https://www.swyx.io/about
◧◩◪◨⬒
206. dang+QT[view] [source] [discussion] 2023-03-18 16:32:37
>>perihe+lb
If you want to, you can always set 'delay' in your profile to the number of minutes (up to 10) that you would like your comments to be visible only to you. This puts the stealth back in stealth editing. https://news.ycombinator.com/newsfaq.html

I rely heavily on this because it's somehow only after the comment is 'real' (i.e. staring back at me from a real HN thread) that I notice most of the edits I want to make.

◧◩◪◨⬒
217. swyx+eX[view] [source] [discussion] 2023-03-18 16:50:22
>>adamgo+hu
love and appreciate your work as well adam (everyone check out Corecursive https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que... )

i honestly dont even view my github readme as "marketing yourself". most pple dont even go to an individual's profile in the first place, but if you do its kinda like a cute little myspace thing where you can let people know you as a human being and be a little quirky. i certainly dont hold myself out as an authority on writing the best software in the world and hey if 40k stars on the react-typescript stuff doesnt count i'm alright with that

◧◩◪◨⬒⬓
221. swyx+2Z[view] [source] [discussion] 2023-03-18 16:58:28
>>tbragi+JT
appreciate it but also whoa this literally just happened and its freaky how up to date you are. consulting is temporary (check out https://www.trychroma.com/ if you are exploring LangChain/OpenAI apps and need an embeddings database) and i'm working on an ai infra startup idea on the side with a couple cofoudners.
◧◩
233. andrew+wa1[view] [source] [discussion] 2023-03-18 18:03:26
>>woodru+X91
In my experience, it's actually a great signal. That's why so many people rely on it. The distribution of GitHub stars is an extreme power law.[1] Stargazer thresholds are used by maintainers to make decisions on including projects for different purposes from dependency management to package manager maintainers deciding to list software by name.[2]

[1]: https://github.com/andrewmcwattersandco/github-statistics

[2]: https://github.com/Homebrew/brew/blob/master/docs/Acceptable...

245. sacnor+3r1[view] [source] 2023-03-18 19:58:43
>>kaeruc+(OP)
The next thing in social media vending machines.

https://twitter.com/Alexey__Kovalev/status/87184200877156761...

◧◩◪◨
250. Cthulh+gE1[view] [source] [discussion] 2023-03-18 21:39:50
>>dylan6+7S
But in that case it should have a note saying it's finished or in maintenance mode (e.g. https://github.com/sirupsen/logrus); include references to replacements, offer paid support if you really need it or still use it, keep an eye on issues, and update dependencies.

Else, ask for a new maintainer. While code can be considered done (especially if no new features are added), it should never go unmaintained. If it's actually used a lot of course.

◧◩◪◨
260. pbrone+4o2[view] [source] [discussion] 2023-03-19 05:02:40
>>tpoach+m81
This is true. I’m hoping https://forgefed.org/ will be a useful way out of this conundrum.
◧◩◪◨⬒⬓⬔
274. coldte+yq4[view] [source] [discussion] 2023-03-19 21:50:21
>>wpietr+Cj4
>Are you talking about in-person verification and vouching? Or can it be digitally mediated?

Yes and yes.

>If the former, it looks quite impractical unless there are widely trusted bulk verifiers. E.g., state DMVs.

It's happened already in some cases, e.g.: https://en.wikipedia.org/wiki/Real-name_system

>If the latter, then it all looks quite prone to corruption once bots become as convincing correspondents as the median person

How about a requirement to personally know the other person in what hackers in the past called "meatspace"?

Just brainstorming here, but for a cohesive forum, even of tens of thousands of people, it shouldn't be that difficult to achieve.

For something Facebook / Tweeter scale it would take "bulk verifiers" that are trusted, and where you need to register in person.

[go to top]