GitHub's fake star economy

Posted by Liriel 4 days ago

GitHub's fake star economy(awesomeagents.ai)

801 points | 370 commentspage 3

socketcluster 4 days ago|

My project https://github.com/socketCluster/socketcluster has been accumulating stars slowly but steadily over about 13 years. Now it has over 6k stars but it doesn't seem to mean much nowadays as a metric. It sucks having put in the effort and seeing it get lost in a sea of scams and seeing people doubting my project's own authenticity.

It does feel like everything is a scam nowadays though. All the numbers seem fake; whether it's number of users, number of likes, number of stars, amount of money, number of re-tweets, number of shares issued, market cap... Maybe it's time we focus on qualitative metrics instead?

glouwbug 3 days ago|

That’s okay. I’m there with you too with about the same cumulative.

I measure my own projects by the enjoyment I got out of them. No sense in chasing validation from others when ones only metric will forever be what’s in their own control.

Applejinx 3 days ago||

No wonder I'm getting bombed with spammers: 0.1 fork/star ratio and 0.0527 watcher/star ratio for a 1.1kstar repo.

The thing is, they are all scammers whose emails go unopened… and the tragic thing is, most likely the VCs would require the same treatment if they did get all hyped up and try to get involved in my project.

There is nobody real who's desperately trying to reach me to extend a line of business credit. I'm not working in AI, rather the opposite, was not in crypto, etc etc, so I know it is just email scams from beginning to end, dozens every day.

It's kind of pitiful that if VCs tried to jump in, they would be indistinguishable from the scams.

pascal-maker 3 days ago||

Very simply, you need to see VCs as branding companies who give people with many followers brand deals. VCs think that if you have a lot of stars, you must have hit product-market fit — or something close — because many developers have started using your open-source tool. This isn’t necessarily always the case. Every weekend project from Andrej Karpathy gets loads of stars because he is the most famous person on GitHub. What I’ve noticed a lot is that the repos with the most stars most of the time already came from big companies open-sourcing their tools, or people building free versions of paid software.

Silamoth 3 days ago|

> Andrej Karpathy…is the most famous person on Git Hub

Is he really? I’ve only heard of him because HN is obsessed with his “AI” takes. Is he really that popular outside of this bubble?

pascal-maker 3 days ago||

If you asked a typical person outside of San Francisco or Silicon Valley, nine times out of ten they wouldn’t have a clue who he is. However, as a co-founder of OpenAI and the former Director of AI at Tesla, he is widely known and respected in the tech world—especially for coining the term 'vibecoding.'" He comes in as second on the list of Github Users Global Ranking right behind mister linux: https://wangchujiang.com/github-rank/.

mercurialsolo 4 days ago||

15 mins into this - Built this to identify the fraudsters https://github.com/mercurialsolo/realstars

We should do a hall of shame!

cmrdporcupine 3 days ago||

Can you vibe code up a firefox plugin, too?

therepanic 3 days ago||

It's a pity that no one will ever see this 15-minute slop.

tonmoy 3 days ago||

Steam wishlist, itch.io number of views, YouTube views and now GitHub stars… I’m tired of all the gamification of creativity. Now if you’d upvote my comment I can get same karma please and thank you

whilenot-dev 3 days ago|

Besides the ability to downvote comments after passing a threshold of 500, what else is HN karma good for?

tonmoy 3 days ago||

Who knows? The way things are going VCs could start asking claude to review someone’s online presence and Claude might decide karma is the best metric for that

whilenot-dev 3 days ago||

I don't mean hypothetical things... are there any more thresholds that unlock functionality?

bjourne 4 days ago||

> The CMU researchers recommended GitHub adopt a weighted popularity metric based on network centrality rather than raw star counts. A change that would structurally undermine the fake star economy. GitHub has not implemented it.

> As one commenter put it: "You can fake a star count, but you can't fake a bug fix that saves someone's weekend."

I'm curious what the research says here---can you actually structurally undermine the gamification of social influence scores? And I'm pretty sure fake bugfixes are almost trivial to generate by LLMs.

az226 4 days ago||

I’d say those CMU researchers are out of touch with the reality. GitHub can easily overhaul this with a much better system than what those researchers recommended but chooses not to.

evilsocket 3 days ago||

that's exactly the next-round attack. StarScout's network-centrality defense works for the current generation of campaigns but won't survive LLM-generated PR/commit patterns

Topfi 4 days ago||

I don't know what is more, for lack of a better word, pathetic, buying stars/upvotes/platform equivalent or thinking of oneself as a serious investor and using something like that as a metric guiding your decision making process.

I'd give a lot of credit to Microsoft and the Github team if they went on a major ban/star removal wave of affected repos, akin to how Valve occasionally does a major sweep across CSGO2 banning verified cheaters.

luke5441 4 days ago||

The problem is that if this is the game now, you need to play it. I'm trying to get a new open source project off the ground and now I wonder if I need to buy fake stars. Or buy the cheapest kind of fake stars for my competitors so they get deleted.

For Microsoft this is another kind of sunk cost, so idk how much incentive they have to fix this situation.

superdisk 4 days ago|||

An open source project really shouldn't be something you need to "get off the ground." If it provides value then people will naturally use it.

luke5441 4 days ago|||

How do people know it exists to solve their problem? Even before LLMs it was hard to get through VC funded marketing by (commercial) competitors.

My first Open Source project easily got off the ground just by being listed in SourceForge.

wazHFsRy 3 days ago||

How will fake stars help it getting of the ground?

luke5441 3 days ago||

My point is that not having fake stars may prevent you from gaining traction.

Organic users still have to consider it, but then they might not dismiss it outright because it has five stars or something.

mariusor 4 days ago|||

Haha, have you tried that? I think in this day and age marketing is much needed activity even for open-source projects providing quality solutions to problems.

superdisk 4 days ago||

I maintain a niche-popular project that I didn't do any marketing for. My understanding is that even for popular projects, the usual dynamic is that there's just one guy doing all the work. So "getting off the ground" just means getting people to use it, and there shouldn't be any reason to artificially force that.

tonyedgecombe 4 days ago||

It depends what your objective is. Many people seem to see their open source projects as a stepping stone into some commercial activity. Putting aside whether that is a good idea or not if that is what they want to do then they will need to market in some way.

Topfi 4 days ago|||

The issue with that is, it's a game that never ends. Now you need to inflate your npm/brew/dnf installs, then your website traffic to not make it to obvious, etc.

I am not successful at all with my current projects (admittedly am not trying to be nowadays), so feel free to dismiss this advice that predates a time before LLM driven development, but in the past, I have had decent success in forums interacting with those with a specific problem my project did address. Less in stars, more in actual exchange of helpful contributions.

Miraltar 4 days ago||

Citing Valve as a model for handling cheating is not what I'd have reached for.

Topfi 4 days ago||

Honest question, which companies handle the process better given it is a trade-off? Yes, VAC is not as iron-clad as kernel level solutions can be, but the latter is overly invasive for many users. I'd argue neither is the objectively right or better approach here and Valves approach of longer term data collection and working on ML solutions that have the potential to catch even those cheating methods currently able to bypass kernel level anti-cheat is a good step.

On Github stars, I'd argue they are the most suitable comparison, as all the funny business regarding stars should be, if at all, detectable by Github directly and ideally, bans would have the biggest deterrent effect, if they happened in larger waves, allowing the community to see who did engage in fraudulent behaviour.

halamadrid 3 days ago||

Buying stars explicitly is one mechanism. Another one is running Hackathons in India or lower cost countries with a prize, which is qualified by "Starring" said repo.

Easily 1-3k stars per hackathon from student or hackathon participants for a cost of $1-5k. And some free marketing comes with too since participants may post on LinkedIn or other social media if they win something.

jiveturkey 3 days ago||

6 million. is that a lot? it's too bad they don't tell us.

but i think based on their statement that north of 90% of the buying repos were terminated by github, i'd say there would be very very many more fake stars without any github intervention.

i guess i just wish they hadn't made the first words of the article "Six million fake stars" without putting that into scale.

ricardo81 4 days ago|

Same old story of centralised algorithms being abused.

Github stars is akin to 'link popularity' or 'pagerank' which is ripe for abuse.

One way around it is to trust well known authors/users more. But it's hard to verify who is who. And accounts get bought/closed/hacked.

Another way is to hand over the algo in a way where individuals and groups can shape it, so there's no universal answer to everyone.

More comments...