Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I don’t know for certain but I feel like this could allow something like 1. Takeover/inherit public repo with lots of stars 2. Take repo private (retaining stars) 3. Replace repo code with some malicious/offensive code. 4. Take repo public again 5. Inherit the trust/prestige of the old repo.


But couldn't the same be achieved without taking it private?


You can do that without the “making it private and public again” part anyway.


Yeah, that's a risk. They could mitigate it by allowing you to revert all branches/tags back to the pre-private state, but we're getting more and more complicated here.


Yeah but it's not like stars are seen as some amazing endorsement on the part of the individual starring. It's more like a favorites list if anything


stars absolutely are seen as an endorsement. I'm guilty of that for sure, and I've been in a ton of conversations about adopting some thing and the "number of stars" is often a consideration unless it's a project like React or Vue, etc.

Would you really not look at two repos that do the same thing, with similar ages and recent commits but one has zero stars and the other has hundreds, and not at least initially trust the latter more?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: