151 comments

[ 2.5 ms ] story [ 197 ms ] thread
Am I missing something, that seems like a decent prank. It’s harmless.
No, his friends account is flagged as a spammer now and gets less visibility.
The list in the article, though, was carefully selected to presume competent people doing the decision-making. I totally believe many people use that star count for something... but an "enterprise"? someone investing non-trivial amount should of money? a specifically-"talented professional"? I just find that really difficult to believe. I've sold software to enterprise, I've worked with a number of venture capital funds, and I know a ton of actually-talented professionals... I dare say most of them consider GitHub's social features to be a joke.

The enterprises I deal with cared almost exclusively about stuff like license choices, support contract options, and "invoice billing" ;P. The vetting process I've dealt with at VCs was intense, having worked both sides of that situation; and I know multiple people who have worked data science jobs at such firms to try to better select investments. As for a "talented professional", I can pretty much guarantee they are going to look at your codebase, not the number of stars it has, while they evaluate any number of more reasonable things to judge an opportunity on (commute, pay, management style, etc.). A key property of competent deciders is that they aren't using trivial metrics.

Assuming those hallucinations are a thing to be patched out and not the core part of a system that works by essentially sampling a probability distribution for the most likely following word.
evidently, they can hard-code exceptions into it. this idea that it's entirely a black box that they have no control over is really strange and incorrect and feels to me like little more than contrarianism to my comment
Maybe not as cheap as you may think. I think github takes a small cut plus you may need to declare the donation as Income on your taxes.

Also if you get "smart" and donate on multiple cards, I would think it is a trivial task for github to determine is is a scam. The CC address would match you Address for the funds your receive.

Probably way too much work for this :)

They don't take a fee from what I read about it.

> https://docs.github.com/en/sponsors/sponsoring-open-source-c...

> GitHub Sponsors does not charge any fees for sponsorships from personal accounts, so 100% of these sponsorships go to the sponsored developer or organization. The 10% fee for sponsorships from organizations is waived during the beta. For more information, see "About billing for GitHub Sponsors."

GitHub sponsors has been out of beta for a long time, they take 10% of the donations if the code is under an organization which is very common for OSS projects. Of course one of the ways to get around it is to sponsor the lead developer, which is sometimes available as an option. Or just sponsor the developer some other way which doesn't go through Microsoft such as Liberapay or Opencollective.
FWIW, I am not baffled by that, as the vast majority of programmers are not "talented professionals" (which is the specific category of potential employee I was balling at, along with enterprises and venture capital firms). So like, you ask your question, they say "star count", and you don't have to really continue the interview.

(When I was in high school, I used to work for a pre-Internet company that helped people pre-filter interview candidates for ads posted in classified sections of newspapers and what they did was have questions like this that could be asked by people well before they reached your calendar for an interview.)

I'm surprised that Github stars are valuable enough to buy. Personally I never look at the star count because even if they were legit, they don't really tell me anything more useful than I get from looking at other things in the repo.

I tend to check the age difference between the earliest and latest commits because that lets me be sure it's not a project that someone spent a couple weeks coding up, dropped on github, and then forgot about. I'll also check the issues on there. I'm looking for more closed issues than open ones, but I'll also quickly scan over them to get a rough idea of how many are truly meaningful issues. I also get signals from the readme and docs. It's not a hard pass if there's issues with those, but it's certainly helpful to my opinion if they exist and are both clear and detailed.

I mean based on the number of repos they identified buying stars and prices advertised, the revenue just doesn’t make sense. The sellers have made like, hundreds of dollars at most. How much effort have they invested for this meager return?
I find stars helpful when I'm evaluating several different repos to choose a particular tool for a job.

If one of the repos has many more stars, I weigh that strongly when choosing. Freshness of commits is definitely important, but for me the fact that many other people starred the repo shows that there are eyeballs and activity.

I'll admit I've used them. In particular, I've used paperswithcode to find implementations of ML models. There are often a number of implementations of the same model, and the quality is highly variable. I've used stars (which paperswithcode displays) as a pre-screen. Spoiler alert, the highest started implementations are not always the best. But it still helps to triage, as a proxy for how well used it is
You are likely not important enough to scam. The first people I can imagine this being shown to are VCs in pitch decks who are only going to see this on a powerpoint and not actually on github. Very unlikely the VC will check github itself to verify the number, and if they do, even less likely they'll verify that the stars are real.

You're the kind that checks everything. Even if you had something valuable, a scammer wouldn't waste their time with you then there are easier fish to bait.

Interesting, I just use them to keep track of interesting projects ( edit: not the number of starts as a proxy; stars is basically my bookmark ). People treat them as internet points?
> dropped on github, and then forgot about.

I really wish GitHub would have some sort of flag for "stale" projects. I use your methods too (issues, dates, etc.), and I'm usually disappointed when search results bring up ghost projects. However, in a few instances, I found a project that was similar to an issue I was working on that went one step beyond where I was, and even though it was a ghost project, it helped. But in general, these projects don't help. I'm also disappointed that I'm thinking, "Hmmm, maybe LLMs can help..."

Why is stale a bad thing? It could be something that was created to serve a purpose, developed to the point that it was feature complete for that purpose, and now requires no more development yet continues to do its purpose without modifications.

It's almost like you are thinking of it as an expiration date and the software has spoiled.

"Stale" and "done" are different states. Stale is when bugs are known but not fixed, dependencies old and unsupported, build instructions do not work any more on modern versions of OSes and other environments.
i think you're leaving out the state of "good enough"
All software is subject to shifting environments over time that will eventually render it obsolete. How fast this happens really depends on the ecosystem—it's a function of the abstraction level and context in which it runs. C or Go code that compiles to a standalone binary will be less susceptible to this, higher level Ruby or Node code that depends on a lot of peer libraries moving in lockstep will be more susceptible. Newer languages that have some notion of backwards compatibility baked into their charter like Elixir or Rust are somewhere in between.
well, the original dev did release the code as open source. you are free to take their lead and continue on with modifications in your own source or even as a fork if you feel so strongly about it needing to be maintained to that level.
Yes, I certainly could. This comment chain started with "why is stale a bad thing". It's bad because I have to do that.

There might be a maintained fork/separate project that does what I want that I would like to find instead. Or maybe I was just searching to save myself 30 minutes on a one time task and I'm not up for adopting an abandoned project.

Stale is bad. Asymptotically approaching stale is great.
Because many languages have breaking changes in the interpreter. For example it is almost impossible to review old Python projects you have to change so much, it is easier to rewrite in many cases.

Rust and other compiled languages that have backward and forward compatibility in mind do much better.

But in that case it should have a note saying it's finished or in maintenance mode (e.g. https://github.com/sirupsen/logrus); include references to replacements, offer paid support if you really need it or still use it, keep an eye on issues, and update dependencies.

Else, ask for a new maintainer. While code can be considered done (especially if no new features are added), it should never go unmaintained. If it's actually used a lot of course.

I have one project on GitHub that I use all the time as part of a script and only push changes when the python API breaks it. It is essentially “finished” and usually just needs a quick compile against the new python version whenever I upgrade the distro. I haven’t even had to touch for at least as long as GitHub required ssh keys so by all accounts this would be an abandoned project.

Now that I think about it — it is a python wrapper around a boost library and neither of those have made backwards incompatible changes in a long time which is quite suspicious.

Boost libs circa Ubuntu (14 or 16.04) had JSON parser that allowed comments, while the newer Boost in Ubuntu 20.04 (and I think already in 18.04) had "updated" it and then it didn't allow comments any more.

Just a small anecdote of Boost changing behavior that broke some of my stuff.

I kind of expect that I’ll have to do some work at upgrade time but it’s been a while. Usually python is the culprit and can only remember boost breaking something once but that was a different project. The maintainer was quite nice on trying to help me figure it out but I don’t think I ever got it working the same again.
Displaying stars to represent traction in open source was a pitch deck phenomenon that was highly effective fitting the ZIRP.
(comment deleted)
Metrics based on issues / commit activity are certainly higher fidelity.

As you indicate though, they require more effort to adjudicate. Are issues from core team members? Are commits meaningful? Is community activity meaningful? I wish GitHub would give allow us to parse things like this more easily.

My use of star count is generally a binary indicator. 1k+ is probably a legit project and below is probably still early. Beyond that, it's probably too noisy.

Closed issues dont mean anything though... a lot of maintainers bulk close hundered of issues as "nofix", "no activity after 3 months", and so on. Just sweeping them under the rug. And many of them pride themselves with the 0 opened issues like it mean something. Any software in the world can have 0 issues if they played this game.

So unless you are really well versed in the project and spent some time following it, stars actually might be a better indicator of the project quality and reputation.

> a lot of maintainers bulk close hundered of issues as "nofix", "no activity after 3 months", and so on

God, I hate this. Every time I have an issue with something, look it up on the issue tracker and find the exact issue I'm having autoclosed as "stale" by a fucking bot because the author didn't reply "this is still an issue" once every 24 hours, it instantly makes my blood boil and I avoid using the software in question as much as possible in the future. Nothing screams "I care more about github numbers than my users or the quality of my software" more than this.

Are you paying the maintainer to use their software? If not then you don't really have right to make such demands on them.
I don't think GP said anything about making demands. They said they avoid using that piece of software and that is not a demand on the software's author.
If you read my comment carefully you'll notice that I at no point demanded that the developers actually fix the issue.

The problem here is simply closing issues that are not fixed because they're "stale", no reason to do this unless you're obsessed with keeping the number of open issues low to deceive people into believing no issues exist. Keeping issues open does not take any effort.

Go back and read your comment carefully, it's literally a rant about the maintainer.
Yes, it is. What point are you trying to make here? Being a maintainer of open source software does not elevate you above criticism.
I can be upset with people lying to me even if I don't pay them and there is nothing wrong with avoiding projects engaging in such behavior and warning others about them.
>I tend to check the age difference between the earliest and latest commits because that lets me be sure it's not a project that someone spent a couple weeks coding up

I doubt anyone would do this, but commit date can be arbitrarily changed.

Taylor Otwell lol.. He has some pretty dope cars in his garage and is doing well.

I follow him on GitHub, and pay for some of his products. I have been heavily influenced by his coding styles, and the tools he uses. His code just looks so tight and perfect. He writes his stuff so open ended and reusable that he basically writes a method once, and then reuses it across numerous projects.

Look at this tight code: https://github.com/laravel/framework/blob/10.x/src/Illuminat...

I’d say that Adam Wathan is rapidly growing his influence as well, and is probably doing alright too.

The multiple-line comment styling is so pleasingly pathological — each descending line has a few characters less than the last.
However, some language ecosystems are more OK with "finished" software than others. It hasn't had a commit in 4 years because none were necessary. Needing constant updates is a sign the local ecosystem is driven by churn over quality.
I don't really think this generalization holds. TeX is one of the very few widely used pieces of software that's considered complete, more or less everything else is either getting updated or superseded by other things.
A NFA library, for example, probably doesn't need to be constantly updated.

If you avoid building on something that's constantly shifting (the web) then the need to update goes down significantly.

Clojure, Elixir, and Lisp (especially Clojure) all have slower acceptable churn rates than other language ecosystems. If it works sensibly (both in terms of being fully debugged and ergonomics) and the underlying system hasn't had significant changes, what good does a commit within the past six months do beyond signaling to the GitHub meta game?
> I own a key pair

Right there… it won't work with the general population.

something like 2 billion people have a phone with a secure enclave capable of this in their pockets today - and they use it everyday for logins, payment and paying at the car park.

We have the penetration

(Afaik smartphone penetration is around 4.5-5 BN, and something like 50%+ have secure enclaves but honestly Indont follow that deeply so would defer to more knowledgeable people)

That’s not your identity, it’s an access token protected by an advanced lock screen (which is greatly useful, but not the same). If you lose your device, the way you get back into your accounts is your de-facto identity—usually it ranges between the email you used during signup to your govt id.

There isn’t a widely deployed public key network with keys that represent a person, afaik. PGP is the closest maybe?

> something like 2 billion people have a phone with a secure enclave capable of this in their pockets today - and they use it everyday for logins, payment and paying at the car park.

They don't own a key pair. They carry one around, which is owned by google or some other entity?

I have moved all my repositories to sourcehut. They are generally mirrored by a github repository consisting of a single README file explaining the new location for the project, and my reasons for the migration.

However, given sourcehut eschews the use such "social metrics" (which at some level I agree with the principle behind it, on the other hand I do appreciate the value of being able to give visibility to good projects) I usually mention in my README that "If you like the project and wish to promote it, feel free to star this github page".

I'm sure github probably wouldn't like this use-case, but the stars would certainly be genuine, even if possibly quite dodgy-looking.

I have moved repositories off github, replaced the README with a warning and the new location and archived the project.

It's still getting starred...

> It's still getting starred...

clearly you did too good a job on the README

i wonder how many PRs this README receives to fix typos
I’m conflicted about this. Sourcehut, Codeberg, etc are great. But having everything I’m looking for on GitHub is extremely convenient. I use the “Add to List” function extensively for bookmarking.
Yes, this is why I didn't want to migrate without leaving a trace on github. The redirecting README on github is a good compromise, I think.

Having said that, it may be worth thinking what is the price we may be paying as a community for this convenience, btw. MS Github is clearly already past the "embrace" phase, and well into the "extend" phase.

Pretty sure those who game their repo are motivated by investment into associated startup. I think you are right that community activity is a high fiedlity indicator and a smart investor in OSS startups should definitely not only lurk in the community but if possible actually have resources to kick the project tires as well.

In a very strange way (but reflective of the economic regime) a startup that fakes stars vs a straight-arrow startup that doesn't is demonstrating a key element for success in business, which seems to require a significant element of bullshiting, and outright deceiving. The mantra has been that "grow grow grow" is the only guideline for success. Inflating your stars is just rookie hour practice for bigger better growth b.s. down the line.

Yeah they are almost all clearly spammy, broken english ads for paid software
But, and I understand the argument, that is a problem for IRL society / government to solve.

If someone walks upto me in the voting booth and says "vote for X or I will kill you" that's a crime. If they do it in the pub it's probably a crime. If they do it online the police don't have enough manpower to deal with the situation.

We should change that.

Every time some fuckwit tweets "you and your kids are going to get raped to death and I know where you live" because some woman dares suggest some political chnage I would like to see jail time.

And if we do that then I can understand your argument, but I would then say it is not valid - in a society that protects free speech.

Actually, there could be places where verified humans are required, and places where they are not.
That doesn't work so well when the government is one of the bad actors.
My point is that if government is a bad actor, there is no recourse. We need a fair democratic society - it's on us to build one / keep it there
It might get to be that way some day, but for now there is recourse. France is (in)famous for it and they are currently making use of that way.

And this is important because a "fair democratic society" that doesn't need people to be able to protest is, as history has shown many times, only a temporary affair. The best way to keep it is to not give the government the tools a worse government could use to suppress dissent.

I'm far less worried about being intimidated into voting a certain way by someone who is avoiding the authorities online.

Much more likely is that I'll vote ignorantly because I lack information that someone withheld because they're intimidated by the authorities.

Rabbit trail: I accidentally right-clicked on their home icon and it brought up their branding page with license agreements for their IP. Really neat idea.
Then make it a banks job to guard the bank vaults - they need to earn that FDIC bailout money :-)
(comment deleted)
So, ask yourself for a moment: what is it you are actually caring about?

I'd like the project to not introduce security vulnerabilities or bugs into my code. I thereby care what language it was written in, what libraries they use, what their testing and QA/CI process is, and whether it is being used by any "critical" projects (like, if that library is embedded in Chrome, you have to bet there are tons of people like me every day trying to hack it).

As part of that, I care about if the project takes a cavalier attitude towards contributions: if I see a number of pull requests from random "contributors" being casually accepted, that is going to be a major major red flag; if possible, I want to see a core team doing most of the development and integration (and not merely most of the "review", add I see in some projects where the people in charge feel above doing work).

I definitely care that the project is being maintained and that there are people paying attention to issues, and it needs to have a culture of taking bug reports seriously... nothing is more dangerous than a project that tries to pretend they are responsive using bots to "automatically close" issues: I'd rather see bugs open for years than worry a critical issue was reported and subsequently lost.

I am certainly curious how work on the project is funded and whether I can trust that its license is going to hold constant over time: I don't want to end up relying on a dependency that is really the pet project of a small startup that is either going to disappear next year or will decide to redirect development to a closed-source fork. I'd thereby also prefer the project be run by a core committee of participants from multiple companies.

I honestly can't imagine caring two shits about how many stars a project had on GitHub... hell: what if the project isn't even on GitHub? What then? Do you just give up and decide it sucks? A world where everyone feels any incentive at all to put their code on a centralized platform is one where we have all failed as stewards of the future of software :(.

This sort of gamification exists only because there are too many green engineers that only care about their salaries, and they mimic what people successfully recruited by FAANG (etc.) did, and so do other companies. Then this purity spirals into taking the entire field down because there's no one around to educate the new newbies. Facebook was IMO a step in the right direction because it was a "general" social network, you could post anything. Imagine if FB had released some sort of an "extension" that allowed you to share anything via a template of sorts, instead of having to type out everything in the same old text post. It would have been meta enough (sorry) to not spiral very quickly.

Leaving the arena is the only viable option. Software projects that aren't dependent on github drive their own vehicle, everyone else is on a crowded bus.

Now is the time to cultivate friendships and to make networks that persist online, and are verified via irl meetups / contacts. People who pull that off now will be in much, much better shape in the future. GPT's output is apparent to a discernible eye right now, but according to the power law, it won't take much "novel" input to train upon to make that discernment useless. Then, the only internet community that could be dependably reliable would be your group of irl verified people.
I would phrase it more as we're pretty much out of time to have initiated online-only relationships.
Agreed. It's very difficult now to build communities that have lasting impact, because everyone's saturated with info as-is. Contributions to niche communities now rely on a societal "outsider" status, which means there's basically a couple of people that contribute heavily and very few onlookers. Everything else is either gamified or comes from video games / gambling.

On the bright side, it's THE time to cultivate close friendships and to seek like-minded people. The entire phenomenon of popular attention hugging a community to death does not exist any longer. You can now have OG members persisting with notions for a long time and building a shared mythos with a small group of friends, because information is now more accessible than ever.

Obviously, most people aren't part of these communities. The people that are "drifting" alone are given to wasting their time on charismatic attention-seekers that talk a big game (twitch/e-celebs) but deliver nothing of value. So there's also room in the market for charismatic folk with some technical expertise to rally people to their cause, but only very briefly. This is because the number of people half-committing and then jumping ship is likely the highest it's ever been. Also, platforms have now resorted to paying people to stay on their platform (youtube / tiktok / sponsorships / twitch boosting streamers / etc.) to combat occasional ennui, ironically exacerbating the issue.

Best methods for that? Local meetups?
Most tight, close-knit groups originate from shared mythos. These can be family, proximity, "same school year", "same college", "friend of best friend", etc. Online, you can find people that are interested in some niche topic (or elaboration of some popular topic to an absurd degree) and engage with them. Small newsletters are also a good way to get people talking. What most people don't do is return attention, aka reciprocate positively. This could also mean you'd have you write about unrelated things or maybe try to build a "business relationship" that would then progress if you invest some time and hope for the best.

It's a really bad time to try and get the attention of someone more famous / notable than you, though. Sure, you can go on $platform and talk to them, but it's really not the same when they have a gorillion other messages. Same goes for people in large communities that are a "guy" there, known for something. Extremely high-return investments but you're likely going to fail.

Some people try to start youtube channels / info streams and then entice people to join their forum / server. While this does seem to work, it only brings in quality people AFTER the community is fully formed and rigorous laws are in place. The initial stragglers are usually the recently excommunicated looking to try their hand at the same shit somewhere else.

If you really put some effort into a topic and blog about it, you're likely to get some high-quality responses even if you only pose a question to someone that's partly interested. I've found this to be a really great way to separate the folks that are actually interested from those that aren't. You'll usually get people around your own level this way and IME this is the best approach.

It takes a lot of effort to make people clock in regularly to your online circle, and it's better to establish digital / irl face-to-face contact after a good interaction. It builds trust and because we're wired to judge people from their facial reactions rather than text, it also sobers conversation / tempers over potentially divisive topics. Works well with cerebral / "deep" people. Doesn't work with people that only come online to blow steam / enact a persona, so it's a good filter.

TL;DR: Touch grass (digitally), make friends (digitally)

Folks, doesn't it seem a little harsh to pile downvotes onto this comment? It's an interesting objection stimulating meaningful conversation for us all to learn from.

If you disagree or have proof of the opposite, just say so and don't vote up. There's no reason to get so emotional we also try to hide it from the community by spamming it down into oblivion.

to be fair, it’s only one net downvote
After that post on HN months ago[1] where users discovered OAuth permissions for unrelated things being used/abused to star projects without their knowledge this news of buying stars didn't come as a surprise.

It's unfortunate as I've seen stars used as a metric of trustworthiness in general user discussions.

[1] https://news.ycombinator.com/item?id=33917962

> ChatGPT is creating a huge market for creating fake companies to match the fake information it's generating.

Does ChatGPT consistently generate the same fake data though?

I have noticed that ChatGPT will give me a consistent output when the input is identical, but I haven’t done extensive research on this.
There was one company that had to put up a “our API can’t get location data from a phone number so stop asking, GPT lied” page.
Yes and if you look at the comment history of the posters in that thread, it is clear they are all spam accounts.
How do you know we aren't already there?
They were incompetent because they didn’t have enough As. I exclusively use AAAAAAAAAAAA Plumbers
Apparently seven is the sweet spot for visual recognition at a glance, so I'd go with AAAAAAA Plumbers instead.