| ▲ | lukasgelbmann 3 hours ago | ||||||||||||||||||||||||||||||||||||||||||||||||||||
I use stars to try and protect myself from dependency confusion attacks. For example, let’s say I want to run some piece of software that I’ve heard about, and let’s say I trust that the software isn’t malware because of its reputation. Most of the time, I’d be installing the software from somewhere that’s not GitHub. A lot of package managers will let anyone upload malware with a name that’s very similar to the software I’m looking for, designed to fool people like me. I need to defend against that. If I can find a GitHub repo that has a ton of stars, I can generally assume that it’s the software I’m looking for, and not a fake imitator, and I can therefore trust the installation instructions in its readme. Except this is also not 100% safe, because as mentioned in TFA, stars can be bought. | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| ▲ | whatisthiseven 2 hours ago | parent | next [-] | ||||||||||||||||||||||||||||||||||||||||||||||||||||
Sure, I suppose that is one solution, but given that buying stars has been around for at least 5 years, and I have been aware of people faking stars for longer than that, I am not sure why you would rely on stars as a primary metric. There are many other far more useful metrics to look at first, and to focus on first, and to think about. Every time you think about stars, you'll forget the other stuff, or discount it in favor of stars. Forget stars. They now no longer mean anything. Even if they did before, they don't anymore. | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
| ▲ | MrSandingMan 3 hours ago | parent | prev [-] | ||||||||||||||||||||||||||||||||||||||||||||||||||||
What does "TFA" mean here please? | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||||||||