← Back to context

Comment by lukasgelbmann

3 hours ago

I use stars to try and protect myself from dependency confusion attacks.

For example, let’s say I want to run some piece of software that I’ve heard about, and let’s say I trust that the software isn’t malware because of its reputation.

Most of the time, I’d be installing the software from somewhere that’s not GitHub. A lot of package managers will let anyone upload malware with a name that’s very similar to the software I’m looking for, designed to fool people like me. I need to defend against that. If I can find a GitHub repo that has a ton of stars, I can generally assume that it’s the software I’m looking for, and not a fake imitator, and I can therefore trust the installation instructions in its readme.

Except this is also not 100% safe, because as mentioned in TFA, stars can be bought.

10 comments

lukasgelbmann

Reply
whatisthiseven  2 hours ago

Sure, I suppose that is one solution, but given that buying stars has been around for at least 5 years, and I have been aware of people faking stars for longer than that, I am not sure why you would rely on stars as a primary metric.

There are many other far more useful metrics to look at first, and to focus on first, and to think about. Every time you think about stars, you'll forget the other stuff, or discount it in favor of stars.

Forget stars. They now no longer mean anything. Even if they did before, they don't anymore.

  • ziml77  35 minutes ago

    Interesting that 5 years ago is exactly when this page showed up according to the Wayback Machine: https://docs.github.com/en/get-started/exploring-projects-on...

    In it they explicitly call it out as a ranking metric

    > Many of GitHub's repository rankings depend on the number of stars a repository has. In addition, Explore GitHub shows popular repositories based on the number of stars they have.

    Yet another case of metric -> target -> useless metric