You can find a set of requirements that aren't. Eg 2-factor can include phone number. And activity requirements can be based on repo maturity (no just pushing to random empty repos).
And while some boy accounts may have them, I doubt many have most.
Also, you argue on semantics but the general idea of setting up a legitimacy test that factors in various things is very easily doable, the factors can be kept private, and you definitely can find ones that are generally hard to game.
>You can find a set of requirements that aren't. Eg 2-factor can include phone number. And activity requirements can be based on repo maturity (no just pushing to random empty repos).
Then you have people complaining about being "shadowbanned" (because there's no recourse if you're a person and the algorithm thinks you're not active enough), or that github is being anti-privacy (by requiring phone number). It's hard to win here.
I think the point is that these requirements are not published, and they are not requirements to use stars. Anyone can star, no one knows whether their account is contributing to the star count. Now, presumably you could star a thing and check if the number went up but maybe introduce slight randomness or delay to obfuscate even those details. I remember when reddit removed the total upvote/downvote counts from the ui
The point is that this is not arguing on semantics nor is it as simple as just a "set of requirements" that they just follow. Battling fraud online is an entire business in itself. Take Spotify plays, YouTube views, Google search ranking, Amazon reviews, reddit votes, etc. These organizations have significantly more incentives than GitHub to reduce fraud in these metrics, and while they do, it's still really really hard and it's very easy to show how these metrics are gamed/faked all the time.
It's not a matter of "here is a list of requirements that no one knows about, and here is slight randomness/delay to obfuscate".
How much do you think it takes to pay an actual human from a poor country to come to work each day at 8am, create one github account after another, enter them in a database, and leave at 5pm?
If you want to "study" how github handles stars because there is legitimate financial incentive for you in it, for $100 a day you can pay 10 or 20 of those people to create few thousands accounts a day. Do it few times a month, and throw these accounts in an automated system that creates random repos, pushes a few commits here and there, etc. Also "introduce some slight randomness or delay to obfuscate these events". Do some A/B testing to figure how the 300k accounts under your control affect a repo star system, then advertise a "GitHub stars service" "$0.50 per guaranteed star on Github". Your average VC funded startup could get 10k stars for $5k.They probably give AWS 10 times that a month.
Once github changes their requirements, do more testing, figure out what the requirements now are, then you're back in the game. If people do it all the time to Spotify, YouTube, Google, Amazon, Reddit, and Twitter, why do you think GitHub would somehow crack that nut?
As someone working with people on the other end of this table, I can tell you there’s a limit of risk, clarity and tech complexity that they are ready to bear. And it’s pretty low. It all works for them only because threads like this usually end up with “it wouldn’t work anyway if I, a six figure guy, had all the time and budget in the world to defeat it, so let’s do nothing” type of non-solution. Which creates a defeatist spirit culture. Paying third-world workers is often economically and structurally unviable for the most low-hanging bot-like activities and it doesn’t even stay that cheap either once the demand grows due to technical barriers. I, being a lot less paranoid and defeatist, also tell these guys that it won’t work because this and that, but then it works, because the solutions the defending side comes up with are either laughable or from “so dumb, I feel I’m gonna faint” category. You won’t believe the elephants that can fly under their radar.
people do it all the time to Spotify, YouTube, Google, Amazon, Reddit, and Twitter, why do you think GitHub would somehow crack that nut?
Because the listed projects do basically nothing, a bare minimum. They don’t even care as long as bots don’t play against their direct interest. Who cares at a media company, or a sales company, who exactly is at their top, as long as they are both not bad enough? Profits come either way. They all are shittiest examples of it who created, incorporated and are themselves part of this problem.
It’s akin to immune system. Its goal is not to protect you from every hiv and cancer, but to avoid constant infections from stupid low-effort attacks. You don’t have to make it prefect, but it must be there. The more cryptic it is, the less welcoming it is to game it through basic means, the better.
> the point is that these requirements are not published
Well-connected people will get the tip off. And your PR team will have to keep batting down conspiracy theories, since if there's one thing the nutters love it's black boxes.
And while some boy accounts may have them, I doubt many have most.
Also, you argue on semantics but the general idea of setting up a legitimacy test that factors in various things is very easily doable, the factors can be kept private, and you definitely can find ones that are generally hard to game.