Self proclaimed GitHub star. But still only 5000 followers and projects max out at 8000 stars.

I don’t know what I had expected but I think it was bigger numbers than that.

https://github.com/sw-yx

I don’t know this user and won’t assume his intentions, but I can see how having “I’m a GitHub star [star emoji]” as the first sentence on the profile is doing him a disservice: it makes it seem like it’s the most impressive thing he’s achieved and diminishes everything else.

Also, I meant in the sense that you call someone “mister McSmug” and they reply almost angrily with “doctor McSmug”.

Thank you for the work you do and for how much you have contributed to people learning over the years. <3

In other words: it makes zero difference to me what you write in your bio though I can see how its previous wording took away from what’s important. I was conveying to the parent comment my understanding of the comment they were replying to.

Apologies for making you feel judged, that was not the point. Quite the contrary: I wanted to underline that by not knowing your intentions it does not make sense to criticise how you choose to present yourself.

I've never seen his github account before but I expect that people following him there are doing so because of the content he's putting out. His blog has been on the HN Frontpage many times and has a book about developer career building.

My github account isn't as pimped out as his, but marketing yourself isn't toxic, it's smart.

i honestly dont even view my github readme as "marketing yourself". most pple dont even go to an individual's profile in the first place, but if you do its kinda like a cute little myspace thing where you can let people know you as a human being and be a little quirky. i certainly dont hold myself out as an authority on writing the best software in the world and hey if 40k stars on the react-typescript stuff doesnt count i'm alright with that

well idk what "github influencer" even means but fwiw i am not "people living just from github". ive never taken a dime of github sponsor money. as far as github is concerned i just put my stuff up for free and the github stars program gets me an early look into new features so i can give them feedback. (eg i helped with Hey GitHub before the big launch at GH Universe).

obviously i'll happily ambassador github to anyone who will listen but who isnt already on github here

At least that's how the 3rd party recruiter told me he found me. It's possible he was lying and thought it would impress me (it did).

My profile is more active than most, but very far from rockstar.

Had to change my Location (or some similar obvious field) in my GitHub profile to "Recruiters FUCK OFF" before they took the hint. ;)

Thankfully, GitHub introduced some other way to signal if you are/aren't interested in getting a job (toggle switch?) not long after, which seemed to work.

It seems odd to title them influencers based on that.

The book presents similar stories.

I follow him on GitHub, and pay for some of his products. I have been heavily influenced by his coding styles, and the tools he uses. His code just looks so tight and perfect. He writes his stuff so open ended and reusable that he basically writes a method once, and then reuses it across numerous projects.

Look at this tight code: https://github.com/laravel/framework/blob/10.x/src/Illuminat...

I’d say that Adam Wathan is rapidly growing his influence as well, and is probably doing alright too.

Heuristics can only be used to identify suspected spammers. Not everyone who behaves like a spammer is a spammer, it could be e.g. a random user with privacy settings on, or someone who didn’t update their bio in a while and it got affected by link rot, etc.

Even if a group of low activity accounts stars the same projects, it could be that the account owners just discuss these projects elsewhere.

Very soon, the domain of bullshit will extend to actual text. We'll be able to buy HN comments by the thousand -- expertly wordsmithed, lucid AI comments -- and you can get them to say "this GitHub repo is the best", or "this startup is the real deal". Won't that be fun?

I rely heavily on this because it's somehow only after the comment is 'real' (i.e. staring back at me from a real HN thread) that I notice most of the edits I want to make.

Phone, then ID-based verification is a stop gap, but IDV services will have to spin up to support the mass volume of verifying all humans.

[1] I kind of want to do this from an innocent / artistic perspective myself. Perhaps a bot that responds with a bunch of rhetorical questions or onomatopoeia. Then I'd scale it to the point people start noticing and feeling weirded out by it. "Is this the new Gen Alpha lingo?" Alas, I have too many other AI projects.

I first tried Google; the results are dominating by commercial crap.

Then I tried the "google reddit" trick to try and find some real people's opinions... but look at all the blatantly bullshit comments on this Reddit thread; https://www.reddit.com/r/Thunderbird/comments/ae4cdg/good_ps...

---

(if anyone is wondering, the best option for Windows is to use 'readpst' command via WSL. Comes in the 'pst-utils' package).

Of course it's not always easy to say what's AI-generated or not. But if an account is making a habit of it, it still seems possible to tell.

Definitely already the case, you really think Rust and SQLite would get more than a couple of upvotes otherwise? :D

Then again, maybe Google had some mandatory HN time for their employees, that would be enough to explain that :D

The obvious problem is we don’t have any great alternatives. We have captcha, and we can look at behavior and source data (IP), and of course everyone’s favorite fingerprinting. To make matters worse: abuse, spam and fraud prevention lives in the same security-by-obscurity paradigm that cyber security lived in for decades before “we” collectively gave up on it, and decided that openness is better. People would laugh at you to suggest abuse tech should be open (“you’d just help the spammers”).

I tried to find whether academia has taken a stab at these problems but came up pretty much empty handed. Hopefully I’m just bad at searching. I truly don’t get why people aren’t looking at these issues seriously and systematically.

In the medium term, I’m worried that we’ll not address the systemic threats, and continue to throw ID checks, heuristics and ML at the wall, enjoying the short lived successes when some classifier works for a month before it’s defeated. The reason this is concerning is that we will be neck deep in crap (think SEO blogspam and recipe sites but for everything) which will be disorienting for long enough to erode a lot of trust that we could really use right now.

I can see lots of reaosns people might oppose the idea but I am not sure why it's not a widely discussed option?

(asking honestly and openly - please don't shout!)

I am very aware of "designing a security system they themselves cannot break" and the difficulties of key management etc.

Would be interested in knowing more from smarter people

(probably need to build a poc - one day :-( )

Right there… it won't work with the general population.

We have the penetration

(Afaik smartphone penetration is around 4.5-5 BN, and something like 50%+ have secure enclaves but honestly Indont follow that deeply so would defer to more knowledgeable people)

There isn’t a widely deployed public key network with keys that represent a person, afaik. PGP is the closest maybe?

They don't own a key pair. They carry one around, which is owned by google or some other entity?

All of those notions are pre-internet ways of proving identity. In a world where we're all rarely more than an arm's length from a globally connected computer, they're on the way out.

If someone walks upto me in the voting booth and says "vote for X or I will kill you" that's a crime. If they do it in the pub it's probably a crime. If they do it online the police don't have enough manpower to deal with the situation.

We should change that.

Every time some fuckwit tweets "you and your kids are going to get raped to death and I know where you live" because some woman dares suggest some political chnage I would like to see jail time.

And if we do that then I can understand your argument, but I would then say it is not valid - in a society that protects free speech.

And this is important because a "fair democratic society" that doesn't need people to be able to protest is, as history has shown many times, only a temporary affair. The best way to keep it is to not give the government the tools a worse government could use to suppress dissent.

Much more likely is that I'll vote ignorantly because I lack information that someone withheld because they're intimidated by the authorities.

I think there are cases for anonymous/pseudonymous speech, but I think that's going to have to shift away from disposable identities. Newspapers, for example, have been providing selective anonymity for hundreds of years, so I think there's a model to follow: trusted people/organizations who validate the quality of a non-public identity.

So a place like HN, for example, could promise that each pseudonymous account is connected to a unique human via some sort of government ID with challenge/response capability. Or you could end up with third-party ID providers that provide a similar service that goes beyond mere identity, like the Twitter Verified program scaled up.

Disposable identities have always been a struggle. E.g., look at Reddit's very popular Am I the Asshole, where people widely believe a lot of the content is creative writing exercises. But keeping up a fake identity over the long term was a lot of work. Not anymore, though!

Of course we do. The rise of digital finance services has led to creation of a number of servives that offer identity verification necessary for KYC. All such services offer APIs, so adding an identity verification requirement to your forum is trivial.

Of course, if it isn't obvious, I'm only half joking.

There's always identity based network of trust. Several other members vouch for new people to be included.

If someone down the line does some BS activity, the accounts that vouched for it have their reputation on the line.

A whole tree of the person who did the BS and 1-2 layers of vouching above gets put on check, gets big red warning label in their UI presence (e.g. under their avatar/name), and loses privileges. It could even just get immediately deleted.

And since I said "identity based", you would need to provide to real world id to get in, on top of others vouching for you. It can be made so you wouldn't be able to get a fake account any easier than you can get a fake passport.

If the former, it looks quite impractical unless there are widely trusted bulk verifiers. E.g., state DMVs.

If the latter, then it all looks quite prone to corruption once bots become as convincing correspondents as the median person.

Yes and yes.

>If the former, it looks quite impractical unless there are widely trusted bulk verifiers. E.g., state DMVs.

It's happened already in some cases, e.g.: https://en.wikipedia.org/wiki/Real-name_system

>If the latter, then it all looks quite prone to corruption once bots become as convincing correspondents as the median person

How about a requirement to personally know the other person in what hackers in the past called "meatspace"?

Just brainstorming here, but for a cohesive forum, even of tens of thousands of people, it shouldn't be that difficult to achieve.

For something Facebook / Tweeter scale it would take "bulk verifiers" that are trusted, and where you need to register in person.

The first time you don’t get a job because of a reference you gave you learn a lesson. If it ever happens again, it’s on you.

If a company is proactively contacting people you don’t give them contact information for, that’s not requiring references — which is the process I (and the comment I replied to) was talking about. If a company knows where you’ve worked, they can contact them if they want.

If they proactively contact someone as part of their verification?

In the past, I’ve extended the time I was at either the company before/after and then leave the one in the middle off. Smaller gap is easier to explain and you just need a coworker at the one you stretched to cover for you - or have it be somebody who wasn’t there during the time you added. You can also just say you did the “freelance” thing and then talk about whatever you want.

I’ve also just been 100% honest and said, “I didn’t like this job and left on bad terms. I’d rather you not contact them.”

Just have to read the situation and make your best guess as to what is going to get you the job.

I'm hoping to put an AI between me and my e-mail inbox this weekend (I had ChatGPT write most of the code; it's not much); not fully automated, but evaluating and summarising and categorising. I might extend that to e.g. give me an "algorithm" for my Mastodon timeline (despite all of the people insisting on reverse chronological, I'm at a few hundred people I follow and already can't keep up), and a number of other sites I visit. For most of these things latency does not matter, so e.g. putting them through llama.cpp rather than something faster is fine, and precision isn't critical (I won't trust it to automatically reply or automatically reject anything, but prioritisation an categorisation where missteps won't have any critical impact.

You're forgetting the millions of additional comments that will be written by humans to trick the AI into promoting their content.

Even worse, currently if you ask Chat GPT to write you some code, it will make up an API endpoint that doesn't exist and then make up a URL that doesn't exist where you can register for an API key. People are already registering these domains, and parking fake sites on them to scam people. ChatGPT is creating a huge market for creating fake companies to match the fake information it's generating.

The biggest risk may not be people using AI-generated comments to promote their own repos, but rather registering new repos to match the fake ones that the AI is already promoting.

E.g., if I create a great paintbrush which creates amazing spatter designs on the wall when it is used just so, then, beyond a point, I have no way to control the spatter designs - I can only influence the designs to some extent.

If you disagree or have proof of the opposite, just say so and don't vote up. There's no reason to get so emotional we also try to hide it from the community by spamming it down into oblivion.

As far as I can tell most people just use it as a shorthand for “wow that was weird” but there’s no difference as far as the model is concerned?

Wrong is saying that the sun rises in the west.

By hallucinating they’re trying to imply that it didn’t just get something wrong but instead dreamed up an alternate world where what you want existed, and then described that.

Or another way to look at it, it gave an answer that looks right enough that you can’t immediately tell it is wrong.

Does ChatGPT consistently generate the same fake data though?

I don't think an arms race for convincing looking bullshit is going to turn out well for our species.

https://xkcd.com/810/

On the bright side, it's THE time to cultivate close friendships and to seek like-minded people. The entire phenomenon of popular attention hugging a community to death does not exist any longer. You can now have OG members persisting with notions for a long time and building a shared mythos with a small group of friends, because information is now more accessible than ever.

Obviously, most people aren't part of these communities. The people that are "drifting" alone are given to wasting their time on charismatic attention-seekers that talk a big game (twitch/e-celebs) but deliver nothing of value. So there's also room in the market for charismatic folk with some technical expertise to rally people to their cause, but only very briefly. This is because the number of people half-committing and then jumping ship is likely the highest it's ever been. Also, platforms have now resorted to paying people to stay on their platform (youtube / tiktok / sponsorships / twitch boosting streamers / etc.) to combat occasional ennui, ironically exacerbating the issue.

It's a really bad time to try and get the attention of someone more famous / notable than you, though. Sure, you can go on $platform and talk to them, but it's really not the same when they have a gorillion other messages. Same goes for people in large communities that are a "guy" there, known for something. Extremely high-return investments but you're likely going to fail.

Some people try to start youtube channels / info streams and then entice people to join their forum / server. While this does seem to work, it only brings in quality people AFTER the community is fully formed and rigorous laws are in place. The initial stragglers are usually the recently excommunicated looking to try their hand at the same shit somewhere else.

If you really put some effort into a topic and blog about it, you're likely to get some high-quality responses even if you only pose a question to someone that's partly interested. I've found this to be a really great way to separate the folks that are actually interested from those that aren't. You'll usually get people around your own level this way and IME this is the best approach.

It takes a lot of effort to make people clock in regularly to your online circle, and it's better to establish digital / irl face-to-face contact after a good interaction. It builds trust and because we're wired to judge people from their facial reactions rather than text, it also sobers conversation / tempers over potentially divisive topics. Works well with cerebral / "deep" people. Doesn't work with people that only come online to blow steam / enact a persona, so it's a good filter.

TL;DR: Touch grass (digitally), make friends (digitally)

Sometimes signals are noise we just need to calibrate.

Those of us who are careful internet readers have spent years developing good heuristics to use textual clues to tell us about the person behind the text. Are they smart? Are they sincere? Are they honest? Are they commenting in good faith? Those skills will soon be obsolete.

The folks at OpenAI, who are nominally on a mission to make sure AI "benefits all of humanity", have condemned us to a life sentence of fending off high-volume, high-quality bullshit. Bullshit that they are actively working to make harder to detect. And I think the first victims of that will be internet forums where text is the main signal, places like this and Reddit.

"The more any quantitative social indicator is used for social decision-making, the more subject it will be to corruption pressures and the more apt it will be to distort and corrupt the social processes it is intended to monitor."

That was a bit shocking to me to learn.

I always expected there was a market for fake stars. I am trying to get a repo naturally to 1000 stars, but I would never buy them.

Unnatural: pay some bot runner to buy stars.

I prefer natural as the stars are a metric not an end goal.

That just shifts the question to why is "reach" something worth wanting?

> some people with snap judge a project by number of stars and more likely use it if it has a bunch.

And why do you want these users?

2. they may just be busy users, looking for something for their job.

I take on board your point though. The stars thing isn't the biggest consideration by a long shot. Probably the smallest!

That's how record labels can simply decide what's going to be the next summer hit. They pick a song and promote the hell out of it. It's not the summer hit because it was somehow better, just more promoted.

It's unfortunate as I've seen stars used as a metric of trustworthiness in general user discussions.

[1] https://news.ycombinator.com/item?id=33917962

There are obvious numeric usernames, but also fake orgs with repos for the users to fork and interact with, and a few account takeovers (i.e. someone had signed up for GitHub in 2015 to make a free wedding website, abandoned it, and the account fell into spammer hands). These used to be easier to report.

With collaterals too I presume [1]. I guess I've been the victim of some automated system. They have banned my account without warning or explanation and they've been ignoring my support tickets for about 2 months!

[1]: https://news.ycombinator.com/item?id=34817163

Which is especially ridiculous if this was due to a false positive spam detection as real spammers will not bother with chasing support when new accounts can be created easily.

Show HN: there are maybe dozens of those posted everyday but they rarely hit main page.

Reddit ad is great to kick off the star growth, but unless you have something interesting to many people, don’t expect more than 50 stars on first day and plateau to a star every few days.

Most GH stars I’ve got was from somebody mentioning my project in comment in some heated discussion on HN. So I guess drama sells?

> we track our own GitHub star count along with that of other projects. So when we spotted some new open-source projects suddenly racking up hundreds of stars a week, we were impressed. In some cases, it looked a bit too good to be true, and the patterns seemed off

If their competitor has fake-looking star counts, I'd expect them to be the ones best equipped and most likely to suspect it.

1. Indicates the astroturfing without actually specifically calling them out 2. Does so in a way where others can verify their work and use it on other repos 3. Uses their product to do so

Seems pretty brilliant to me.

Really? I honestly just don't believe this... if I were to believe this, I think I'd have to conclude the world is just too broken to bother rescuing.

It takes a lot more effort to collect multiple metrics along different axes, understand the skew/bias of them and make an informed decision.

Visibility and ease of consumption are the most important aspects of a metric if you want people to use it.

The enterprises I deal with cared almost exclusively about stuff like license choices, support contract options, and "invoice billing" ;P. The vetting process I've dealt with at VCs was intense, having worked both sides of that situation; and I know multiple people who have worked data science jobs at such firms to try to better select investments. As for a "talented professional", I can pretty much guarantee they are going to look at your codebase, not the number of stars it has, while they evaluate any number of more reasonable things to judge an opportunity on (commute, pay, management style, etc.). A key property of competent deciders is that they aren't using trivial metrics.

What did I miss? What's the best answer you've ever heard? How do you evaluate 3rd party dependencies?

Of course there can be libraries that are more or less "finished", so the last commit/frequency of commits isn't on its own a deciding factor, but in proper context/holistically it is definitely an important metric!

(When I was in high school, I used to work for a pre-Internet company that helped people pre-filter interview candidates for ads posted in classified sections of newspapers and what they did was have questions like this that could be asked by people well before they reached your calendar for an interview.)

If you avoid building on something that's constantly shifting (the web) then the need to update goes down significantly.

Contributors is the most informative page for me. So many projects are 1 man show basically all the time. I don't mind that, it means passion, but it also mean it can dissaper any moment depending on circumstances.

I also look into issue details to see how maintainers communicate with community members that do due dilligence before aksing for help.

Stars only mean something because of the people who do. They're the ones leading the herd. If you're just going off the social signals, then you're just monitoring where the herd is going.

The main question I'm asking myself while looking at the code is: if I had to fork this thing and maintain it myself, how would I feel about it? Because sometimes that happens.

I actually blogged my answer to that exact question recently (shameless plug):

https://philbooth.me/blog/how-to-evaluate-dependencies

I prefer to look at the recent commits, or any recent activity on the repo's issues, but I would like to know what else can be used as an indicator.

I'd like the project to not introduce security vulnerabilities or bugs into my code. I thereby care what language it was written in, what libraries they use, what their testing and QA/CI process is, and whether it is being used by any "critical" projects (like, if that library is embedded in Chrome, you have to bet there are tons of people like me every day trying to hack it).

As part of that, I care about if the project takes a cavalier attitude towards contributions: if I see a number of pull requests from random "contributors" being casually accepted, that is going to be a major major red flag; if possible, I want to see a core team doing most of the development and integration (and not merely most of the "review", add I see in some projects where the people in charge feel above doing work).

I definitely care that the project is being maintained and that there are people paying attention to issues, and it needs to have a culture of taking bug reports seriously... nothing is more dangerous than a project that tries to pretend they are responsive using bots to "automatically close" issues: I'd rather see bugs open for years than worry a critical issue was reported and subsequently lost.

I am certainly curious how work on the project is funded and whether I can trust that its license is going to hold constant over time: I don't want to end up relying on a dependency that is really the pet project of a small startup that is either going to disappear next year or will decide to redirect development to a closed-source fork. I'd thereby also prefer the project be run by a core committee of participants from multiple companies.

I honestly can't imagine caring two shits about how many stars a project had on GitHub... hell: what if the project isn't even on GitHub? What then? Do you just give up and decide it sucks? A world where everyone feels any incentive at all to put their code on a centralized platform is one where we have all failed as stewards of the future of software :(.

My own angle is that copilot has shifted the incentives around this practice, maybe substantially. Businesses want to get (free tiers of) their paid SaaS endpoints into copilot suggestions - it's a great funnel!

I'd guess that github is as likely as not to become an SEO spam battlefield (like the rest of the web).

That’s so brilliantly evil…

I can see the next generation of “how I got to $3m in passive income” articles being written (by ChatGPT) right now.

https://github.com/Hellisotherpeople/Bright

Edit: I love clustering, I really do, but I think that techniques like the one I am using are far superior to unsupervised learning for trying to detect fake accounts in this context.

Kind of ironic that they’re using blog articles and social media to pander for more stars on their GitHub project.

I think 2 great community activity indicators are - Github issues and of slack/discord/discourse comments. One key thing with github issues in my opinions is that, If the github issues are mostly by the core team, it is not a great sign. You want a large mix of issues from customers or users and not from the team. This is a good indicator if the project is solving real problem or not. Stars is very low threshold action. Same goes with the slack comments, it should have both volume and freshness.

Also if you get "smart" and donate on multiple cards, I would think it is a trivial task for github to determine is is a scam. The CC address would match you Address for the funds your receive.

Probably way too much work for this :)

> https://docs.github.com/en/sponsors/sponsoring-open-source-c...

> GitHub Sponsors does not charge any fees for sponsorships from personal accounts, so 100% of these sponsorships go to the sponsored developer or organization. The 10% fee for sponsorships from organizations is waived during the beta. For more information, see "About billing for GitHub Sponsors."

In a very strange way (but reflective of the economic regime) a startup that fakes stars vs a straight-arrow startup that doesn't is demonstrating a key element for success in business, which seems to require a significant element of bullshiting, and outright deceiving. The mantra has been that "grow grow grow" is the only guideline for success. Inflating your stars is just rookie hour practice for bigger better growth b.s. down the line.

(The firm X, however, is a more well-known name than my ex-employer was).

A while ago, I listened to a Freakonomics episode where it was discussed that businesses use proxies to both boost their image and to cover up their incompetency. The example was that a lot of businesses chose fancy names starting with A (like, AAA plumbers), so that they get listed first in business directories. These firms were later proven to be very incompetent and/or even fraudulent.

The relevant paper, also cited in the episode, was "A Business by Any Other Name": https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1667550.

https://freakonomics.com/podcast/is-google-getting-worse/

Instead I found a system that seems to be thoughtfully designed and, crucially, easy to debug.

I tend to check the age difference between the earliest and latest commits because that lets me be sure it's not a project that someone spent a couple weeks coding up, dropped on github, and then forgot about. I'll also check the issues on there. I'm looking for more closed issues than open ones, but I'll also quickly scan over them to get a rough idea of how many are truly meaningful issues. I also get signals from the readme and docs. It's not a hard pass if there's issues with those, but it's certainly helpful to my opinion if they exist and are both clear and detailed.