Open Source

31851 readers

63 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Posts must be relevant to the open source ideology
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago

MODERATORS

[email protected]

427

Over 3.1 million fake "stars" on GitHub projects used to boost rankings (lemmy.ml)

submitted 4 days ago* (last edited 4 days ago) by [email protected] to c/[email protected]

72 comments fedilink hide all child comments

This doesn't surprise me at all... Just like bots in games. Selling a service that benefits another. Its shady, but definitely believable.

Also, what if this is an actual viable way to "market" for an open source project?

https://www.bleepingcomputer.com/news/security/over-31-million-fake-stars-on-github-projects-used-to-boost-rankings

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 27 points 4 days ago (1 children)

How would the raspberry help? It is accounts needed.

[–] [email protected] 2 points 4 days ago (1 children)

Automation. You replace the user with a script that does everything. Not that hard. Captchas dont really work anymore with ai, and you can pay people to do it for you for a fraction of a cent instead of the absurd prices listed.

[–] [email protected] 24 points 4 days ago (2 children)

But you still need the user accounts. Which must be created and are verified by email. Then you have to generate tokens for them to call the api endpoint to add the star. I’m not saying it isn’t doable, but it would be non-negligible and GitHub is going to squash you back at some point creating all those accounts from one source.

[–] [email protected] 2 points 3 days ago

Right - the cost is your time instead of dollars.

I don't like doing stuff, so I give my time an hourly rate of $100. Absolute BEST case scenario (for me) would be that this is a weekend project, so call it 10 hours.

So my best case break-even point would be 10K stars. Which seems like it'd be more than I'd need?

[–] gravitas_deficiency 1 points 3 days ago (1 children)

But the main point is that good and well-written code doesn’t need this sort of misdirection, nor would the authors generally engage in this sort of thing

[–] [email protected] 1 points 3 days ago (1 children)

You seem to imply bad programmers use these services to star-boost their otherwise mediocre code. That might be the case, but there are other –at least conceivable, if not yet proven– use cases for these star-boosting services, such as typosquatting, the promotion of less secure software as part of supply chain attacks (with organizations sticking to vulnerable libraries or frameworks in the erroneous belief that they are more popular and better maintained than alternatives, for example) and plain malware distribution.

[–] gravitas_deficiency 3 points 3 days ago

I mean… I was sort of taking “good” code to imply “not malicious”, in addition to it being written well. But yeah, I completely agree, in the context of attack vectors you mention.