This doesn’t surprise me at all… Just like bots in games. Selling a service that benefits another. Its shady, but definitely believable.
Also, what if this is an actual viable way to “market” for an open source project?
This doesn’t surprise me at all… Just like bots in games. Selling a service that benefits another. Its shady, but definitely believable.
Also, what if this is an actual viable way to “market” for an open source project?
I almost commented something like “thats extremely overpriced, why dont you set up a raspberry pi to do it for you for free” and then i realized the people who could do that dont need fake stars.
How would the raspberry help? It is accounts needed.
Automation. You replace the user with a script that does everything. Not that hard. Captchas dont really work anymore with ai, and you can pay people to do it for you for a fraction of a cent instead of the absurd prices listed.
But you still need the user accounts. Which must be created and are verified by email. Then you have to generate tokens for them to call the api endpoint to add the star. I’m not saying it isn’t doable, but it would be non-negligible and GitHub is going to squash you back at some point creating all those accounts from one source.
Right - the cost is your time instead of dollars.
I don’t like doing stuff, so I give my time an hourly rate of $100. Absolute BEST case scenario (for me) would be that this is a weekend project, so call it 10 hours.
So my best case break-even point would be 10K stars. Which seems like it’d be more than I’d need?
But the main point is that good and well-written code doesn’t need this sort of misdirection, nor would the authors generally engage in this sort of thing
You seem to imply bad programmers use these services to star-boost their otherwise mediocre code. That might be the case, but there are other –at least conceivable, if not yet proven– use cases for these star-boosting services, such as typosquatting, the promotion of less secure software as part of supply chain attacks (with organizations sticking to vulnerable libraries or frameworks in the erroneous belief that they are more popular and better maintained than alternatives, for example) and plain malware distribution.
I mean… I was sort of taking “good” code to imply “not malicious”, in addition to it being written well. But yeah, I completely agree, in the context of attack vectors you mention.
On the one hand, one Raspberry Pi would not really suffice. As @[email protected] argued, you would need legitimate email addresses, which would require either circumventing the antibot measures of providers like Google or setting up your own network of domains and email servers. Besides that, GitHub would (hopefully) notice the barrage of API requests from the same network. To avoid that and make your API requests seem legitimate, you would need infrastructure to spread your requests in time and across networks. You would either build and maintain that infrastructure yourself –which would be expensive for a single star-boosting operation– or, well, pay for the service. That’s why these things exist.
On the other hand, although bad programmers might use these services to star-boost their otherwise mediocre code, as you suggest, there are other –at least conceivable, if not yet proven– use cases, such as: