Reminds me of this famous paper: https://arxiv.org/abs/astro-ph/9912202

My only guesses are people showing popular repos for their CV or to appear legitimate to get access to another repo like what happened with the xz utils backdoor.

Once you start trying to make a living from anything you do online, you start to realize that literally everything on the internet is gamed to extreme. Even this article was written and posted here for a reason.

If your GitHub repo can in any way provide you with income (from just having something to talk about in an interview or an innocuous “buy me a coffee link”…all the way up to selling $100,000/yr enterprise support plans), you now have a strong incentive to game the system.

And if it’s allowed by the system, then it’s a prisoners dilemma. Because if you DON’T do it, your competition will do it and eat your lunch.

That’s why it’s so important to design high integrity ranking systems.

The "like" metric is dumbed-down to self-amplifying popularity that hovers around meaninglessness. It would be more valuable to weight things based who else you respect also rate a particular item.

Github really wants to be a social network or something to that effect and I get the feeling that most developer don't care. If you log in it's pretty clear that the "front page" is suppose to be something like a feed, but I don't know anyone who uses it. Mine is completely blank and pointless. Stars I suppose is to be something akin to a like, maybe.

I have plenty of Github projects bookmarked, but I never "stared" one... Why would I?

Neither do I.

I believe the only thing anyone can do is take metrics of how the metrics are gamed, as this particular paper has done.

there's various reasons webs-of-trust don't takeoff, but I can imagine a system where the metrics I see are only aggregated from friends-of-friends, and any other signal is just considered untrustworthy and therefor not worth observing

It comes down to fighting against the human nature. And that's a lost battle.

Set any law you want, our nature will push us to circumvent it even legally.

Only show "Active Developer Stars" by default:

- Only accounts that have a decent amount of activity (pushing code, commenting, etc)

- Has set up SSH

- Older than 2 years

- Account active consistently for at least a year

- Must have 2-factor enabled

- Filled out profile

etc

I believe networks of human individuals can solve this to a good degree assuming a particular topology exists.

Like, imagine a group of professionals of decent sized, all specializing in a similar field, and having lots of strong connections between each other where they have ample opportunities to share information. It would be hard for an outsider to come in and astroturf their product without immense effort (like hiring shills to attend conferences). In-person networks also obviously solve the problem stars as reputation: reputation spreads naturally in these sorts of networks.

I think the problem comes with algorithmic scale. Maybe a solution would be to have more community building activities (maybe preferably offline).

Requiring real ID and showing _regional_ stars like Apple/Google would be a start.

doesn't mean why shouldn't fight back. That's exactly why we need research projects like these: to maintain the balance.

Any metric that becomes a target ceases to be a good metric.

The wrinkle is that measures that don't easily quantify are more resistant. For example, showing provable use by other reputable or trusted projects, or a significant amount of resources allocated to maintenance, or ...

Really just anything that can't be reduced to a single number in a canonical way will in the long run prove far more useful for longer.

This of course shifts some of the burden onto potential users to assess things more critically, and forecloses direct numerical comparison. But the idea that you could just look at a number and make such comparisons was faulty from the get go.

Prioritize the stars given by accounts you follow in the UI. Done.

I can see github platform internals caring about this for anomaly detection, but as a developer, who cares? I suppose a botnet could be making fake stars on a malware project or supply chain attack, but the problem there doesn't seem like it's the number of stars.

Make a website where you hire people to check out the libraries and publish scores.

But people who have chops for that probably have high enough paying jobs not to care. As most likely no one would pay for reviews of libraries.

recent commits and community engagement are better indicators

It used to be a heuristic VCs would use to gauge popularity. You know how it is: if you have the revenue, talk about the revenue; if you only have the users, talk about the users; if you only have the stars, talk about the stars hehe

Sometimes projects get stars just because people like the personality or company behind the project.

Case in point: https://github.com/facebook/hhvm/. It got 15,000 stars in its first few years, but roughly 10 non-Facebook companies actually ever used it in production, and today only one non-Facebook company uses it (I work at that company).

A star is just a bookmark for me. It says nothing beyond "I may want to look at this again". When comparing two similar projects, I may look at the star counts to see which one is more popular but it's probably the last metric I'd consider.

I agree, I am also interested in : date of most recent substantive commit; date of first commit; number of contributors.

I don't have hard and fast rules for how I interpret those values, it depends on my intentions but I find them useful things to consider.

Going back to the readme, nothing turns me off faster than a skeletal readme, it doesn't have to be "War and Peace" but it needs to be more than just how to install it.

I like to look at open PRs as well as closed issues. Sometimes closed issues reveal a lot about the attitude and expertise of the maintainers.

A better metric until it becomes a target. Once it is a target, getting a billion clones is trivial.

Github should just stop showing star counts. Who cares about them.

A similar thing happens on npmjs.com where it shows downloads for packages, which is often used as a metric of quality. However, everytime a build pipeline runs and it pulls the package, that's a download.

The weird thing is I forked Freepascal to add an architecture of A VM I had written. It wasn't really useful to anyone else, but every now and again it earns a star from a random passer by.

*sad noises from NixOS/nixpkgs, llvm/llvm-project, and all other repos with an absurd commit log/branches that takes ages to do a full clone

(just a joke that immediately came to mind, not intended to undermine OP's idea)

> (it's like proof of work, it needs compute to clone a repo)

It's github's compute, so why do I (the person who's cloning the repo) care about the compute? I don't pay for it!

That is absolutely the wrong takeaway. The correct takeaway is that supply chain attacks and spam are real threats, and that these metrics can be gamed by malicious actors.

The work in cloning a repo is negligible, and the requirement of work is not a security design guarantee in github. The actual cost of liking projects is network, malicious actors need to create fake accounts, waste IP addresses and ip blocks in the process. Whether you are cloning or liking is just the last mile.

To me the takeaway is not to trust a project based on it's github metrics, and by extension not to trust projects just because they are linked and liked in hacker news for example. And to be wary of how I introduce dependencies into my projects.

Not just because of strictly malicious dependencies, but also because of trash dependencies that don't add value.

The weird thing is I've seen enough forks that have never seen any development that I'm pretty sure some people are using those as bookmarks rather than stars!

I would imagine those figures would mostly indicate which projects are most likely to be used in scripts or CI pipelines.

> They might as well just mark it as "Bookmarked" instead of "Starred".

This is how I always interpreted the star feature and have used it as a bookmarking feature. I didn't know it was more akin to a like button!

>For me starring a repo is liking bookmarking it, nothing else.

Literally all I ever use the stars for, I don't know what they are 'supposed' to be used for if not that.

For me, it’s "bookmarking obscure stuff". Why would I bookmark, say, React? I can find this easily. I only star stuff that has few stars and isn’t as easy to find later.

It seems like a conceptionally simple problem to grade a repo given the vast number of metrics available. Especially considering the advanced code analysis tools available today. I want a top-level analysis of some sort, based on: usage by other software (if applicable,) activity, issue frequency and resolution, derivatives (forks, etc.,) number of participants, code maturity, code testing, release frequency, license structure and many other parameters.

There is an opportunity here for a third party to do this well.

I have the same thing happen to me often. Sometimes I get a notification on my GitHub homepage that someone followed me a day or so ago, and when I click to view their profile it seems that they have already unfollowed me. For example, This guy did it, and he has 6K+ followers and is only following ~200: https://github.com/NobleMajo. It seems weird that he would follow me to unfollow me right away. I have a feeling that these accounts do this intentionally to harvest followers by prompting Github to show a ton of different people that he is following them in order to have them follow back in exchange. I think most people will follow someone back who follows them without really thinking about it. In my case I investigated who it was who followed me and realized he isn't actually following me and is probably harvesting followers. Why would someone waste time out of their life to do this? Who knows. Probably want to feel special or stand out from other people without doing anything to earn it.

That's not what the paper said. The numbers are much lower because not all starts are by unique accounts.

> In total, StarScout identified 4.53 million fake stars across 22,915 repositories (before the postprocessing step designed to remove spurious ones), created by 1.32 million accounts; among these stars, 0.95 million are identified with the low activity signature and 3.58 million are identified by the clustering signature. In the postprocessing step, StarScout further identified 15,835 repositories with fake star campaigns (corresponding to 3.1 million fake stars coming from 278k accounts).

What’s there to gain though?

Ah, so is the quid pro quo here that if I want to run a hackathon in my city I can get Acme Corp to toss their brand name on it and fund it, but only if I get my participants to also star the repo? That does sound fraudulent. Do they put these agreements in writing?

At many hackathons I attended (as a mentor, company sponsor, or judge) approximately a quarter of participants had never used GitHub previously. Such participants often thought of GitHub stars as bookmarks. Many hackathon sponsors provide Hackathon samples or references on GitHub - or guidelines for winning the specific sponsor's prize. As expected, those repos were "bookmarked" by the students. In this case this is a misunderstanding of the purpose of GitHub stars by these new users, but certainly not a fraudulent action.

That issue you are exposing is everywhere so if fraudulent is the word we can see that a lot of social media and Internet, in general, is also fraudulent. It is call-to-action and conversion everywhere.

> I personally think its fraudulent

It's fraudulent only because Github use "stars" to rank popular repos.

I think a repo should be ranked by code quality and update activity rather than "stars"

it doesn't if you really like it :)

This. Stars can be an initial indicator, but I also always skim the issues and the last commits, general activity, contributors, before deciding to use a some lib vs another for example.

> In my experience, open/closed issues ratio is much more important than star count.

What would you say is a good ratio?

So, make 100 bot accounts that each have 100 dummy repos and have each star all of other's repos, then start pumping those votes out of the network?

Each bot has 10k incoming stars from users who each have 10k incoming stars.

Remember, Google PageRank was bootstrapped with the N most visited websites.

How do you bookmark projects at GitHub? Basically, it is not the same a library with less than 10 stars than some popular ones with ten of thousands. It is true that you can game the system butnstats are a signal in a domain that you don't know well.

Starring projects is how I “bookmark” them so I can easily find them later. A high number of stars indicates many devs are interested in the project… if I had to chose a UI library with 10 stars versus one with 30,000 stars, it should be obvious why you’d pick the later. More interest likely means a bigger community behind the product.

I star repos as a way to bookmark them. I use the star counts as a rough metric for how popular a repo is. Something with a high star count will tend to have a larger community, more support, documentation, etc. Not always the case, but it can be a useful heuristic.

I like to keep track of interesting projects. It's basically just a bookmark for me.

When I'm looking for a library I'll consider them in order of # of stars.

e.g. I might search for "TypeScript ORM", open five popular repos, and then compare the two libraries with the most stars to make my decision.

I also use stars to bookmark projects, and I'll usually unstar a project once I've tried it out/no longer need it.

When repos are mirrored to github (so the commits aren't directly made by your account), your contributions to those mirrored repos aren't listed on your profile unless you star the repo.

So i star repos that are developed outside github so my contributions show up on my profile.

Cobra effect

True. I usually only star projects that "cool. I wanna try this sometime but not cool enough to try now"