
Transferring GitHub stars - franciscop
https://francisco.io/blog/transferring-github-stars/
======
shurcooL
To point out what might be obvious: this doesn't transfer _just_ the stars. It
simply swaps two repos, which means the issue tracker, pull requests,
watchers, forks, projects, etc., also get transferred with the stars.

It's not possible to transfer just the stars while maintaining all the things
that you can't directly control.

I did something similar when I decided to change my github username without
changing all the import paths of Go packages I had. I changed the username,
made an organization with the same name as my previous username, then moved
all my repos to the organization. So the URLs of all the repos stayed
unchanged. [1]

[1]
[https://twitter.com/dmitshur/status/1021266582834634752](https://twitter.com/dmitshur/status/1021266582834634752)

~~~
eridius
When you rename yourself on GitHub, their Help says they put in redirects for
all of your repositories (that last until such time as someone else claims
your old name and creates a new repository with the same name as one of your
old repositories, as this new repository supersedes the redirect). So
squatting on your old name is a good idea to protect the repository URLs, but
actually transferring your repositories to the squatted name seems
unnecessary.

~~~
shurcooL
Yeah, I was aware of the redirects, they're very helpful! It would've been
okay to rely on redirects on a temporary basis if my long-term plan was to
move everything to the new username. But I wanted the repos to keep their old
URL permanently, so that's why I moved them.

------
nstj
Fun fact: there's a reflog on the _GitHub_ remote so even if you force push
you can still see what the previous commits in the repo were.

So in this case even if you force push to the highly starred repo people
_could_ see that it had old commits (and restore to those on their local too).

Nice writeup on it: [https://medium.com/git-tips/githubs-
reflog-a9ff21ff765f](https://medium.com/git-tips/githubs-reflog-a9ff21ff765f)

This has definitely saved my bacon when I've force pushed to a GH repo before
and had to restore something.

~~~
rococode
I'm no git master and after searching around a bit I wasn't able to find a
clear answer to this so I'm hoping someone can enlighten me:

Say I accidentally push some private info and overwrite the commit with a
force push. The commit history doesn't show the mistake commit at all, but is
it actually still accessible through reflog?

I'm pretty sure I've done this with some of my smaller projects so now I'm
concerned that some of my passwords/keys are actually floating around
somewhere. I read some info about reflog automatically pruning, is it likely
that this is the case for my projects and I have nothing to worry about?

~~~
bjz_
Afaik (I'm no security expert), as soon as you pushed them to a public repo
you should change them all regardless of force pushing, because there's no way
to take it back. Folks do trawl github for passwords and secrets.

------
Waterluvian
Makes me think of Theseus' ship. Change piece by piece out over time. Is it
still the same repo people starred?

This feels a lot like what happens when a brand is sold. Is it really the same
product?

Stars generally "work" because, I think, we assume repos converge to
something. The older it is, the less likely changes are to be drastic. And
maybe that's true. But it clearly doesn't have to be.

Of course we shouldn't rely on star count as any sort of quick and dirty
metric of quality... But I think many of us do.

~~~
Memosyne
I'm still hoping for a system that can evaluate the quality of a codebase
given certain parameters and assign an average rank automatically.

~~~
jondubois
I'm extemely skeptical about automated code quality scoring tools. Most of
them focus on superficial metrics and completely miss the important stuff.

One of the most important metrics for project quality is how easy it is to
implement new features. Good code is easy to extend and build on top.
Developers who haven't worked on the project before should be able to easily
jump in and start contributing good PRs. I don't think that this kind of
scoring is something that can be automated... At least not for a long time.

~~~
AndreJohansson
Actually this is somewhat already done in a quite clever way by the product
CodeScene by Empear ([https://empear.com/](https://empear.com/)). This tool
looks at the history of files in a repo and detects a lot of things such as:

* Correlation between files (we always seem to change b.cs when we change a.cs) * We have lost knowledge in the team, file a.cs was 85% created by developer X who has now quit. * A certain file is often modified (indicating too many responsibilities, and thus "bad code").

and so on.

More details: [https://empear.com/blog/software-revolution-
part1/](https://empear.com/blog/software-revolution-part1/)

------
amingilani
I don't understand why this is a major deal, though. Allowing users to rename
resources will always result in this kind of behavior, but I don't see how
this could be a bug or a security hazard. Some similar things you can do:

\+ Swap the handles and profile information on instagram — transferring
Instagram followers

\+ Swap the handles and profile information on twitter — transferring Twitter
followers

\+ Change the team name & URL on Slack — transferring Slack users

This is fairly widespread but benign behavior.

~~~
franciscop
I agree, it's benign behaviour but developer and companies should be aware of
the potential for misuse. Specially, stars in Github should not be considered
a proxy for quality (I say this as the #2 most popular in star count in
Japan).

It's a warm reminder for the future, since as the JS ecosystem keeps growing
exponentially people will very likely start to search for metrics such as star
count to know what to trust. This made quite a bit of noise recently for
instance:
[https://hasvuepassedreactyet.surge.sh/](https://hasvuepassedreactyet.surge.sh/)

------
ReverseCold
I noticed the HN comments at the bottom of the article. Is HN sending
webmentions or is there another way that the site is retrieving them?

~~~
franciscop
Author here, I created and alpha-launched
[https://comments.network/](https://comments.network/) a while back, but have
since officially discontinued it and you should really not depend on it. I am
considering open source-ing it, would that be interesting at all?

~~~
MasterScrat
Ah, something like this has been on my TODO list forever, would greatly
appreciate it!

------
knocte
It's obvious why this works. What would be great is to be able to merge stars
from two projects into one.

~~~
caseysoftware
That's from the project owner's point of view but what about from the
starrer's perspective?

I _think_ most users use stars to denote endorsement/interest in a project. If
you move my endorsement from projectA to projectB just because they merged,
that assumes my endorsement/interest still applies.

That feels like a significant assumption that may not hold.

~~~
wpietri
Exactly. I'd be 100% mad if I found out somebody shifted my public validation
of their project to something entirely different. If I catch anybody doing
this, they're dead to me. It's straight up fraud.

~~~
franciscop
When should a project be considered something entirely different? See the
other top level comment about Theseus' ship. Is Angular 2 different from
Angular 1 for example? Would you be mad for them keeping your star? What about
changing the direction of products? There _are_ valid cases and how much
something changes is variable, so there is no clear line IMHO. It depends on
each individual then to make their own judgement.

~~~
wpietri
There are no clear lines anywhere in the world. Everything gets subtle upon
close examination. Do you bring this fact up all the time? E.g., if your
friends are going out to brunch, is their a long soliloquy about how the right
term depends so much on exact time of day, history of the cuisine involved,
and the specific foods people eat? That really maybe it's more lunch, or
elevenses, or perhaps really more what's meant by morgenmete or perhaps petit-
déjeuner? Perhaps best not to name it at all and let each person just see it
as they see it.

Or do you instead only demand this level of philosophical nuance when, as
here, it lets someone committing fraud off the hook?

~~~
franciscop
Yup, I love discussing the limits of reality with my close friends. Obviously
it's not a soliloquy if I'm discussing with my friends. The way different
people see the same thing is f __*ing interesting TBH, and one of the things I
love the most of meeting new people.

And no, I don't think here I was commiting fraud. I purposefully did this to
push and find out what other people think! But still staying on the side of
what I consider ethic. (Honest) thanks for letting me know your opinion
though.

------
comesee
What's the practical use of a high star count?

~~~
phamilton
If I'm looking for a library and I find two that do what I need, I generally
go with the one with the higher star count because it signals a larger
community and therefore it's more likely to get some bug fixes and
improvements.

~~~
philbo
I don't think GitHub stars a reliable indicator of community size. They are
often an indicator of how much effort someone has put into promoting the
library on social media. Some people have starred thousands of repos that they
only ever looked at once when they saw it on the front page of HN (I know,
because I'm one of them).

A quick read of the source, tests, documentation, issues etc provide better
information than counting stars in my experience.

~~~
frou_dh
> Some people have starred thousands of repos that they only ever looked at
> once when they saw it on the front page of HN (I know, because I'm one of
> them).

If you ever want to process and try and extract some value from those, I
recommend this: [https://astralapp.com/](https://astralapp.com/)

------
pervycreeper
This requires owning both repositories. The user puts a measure of "trust" in
the owner whose repository he had starred already, so this seems more like a
violation of that trust rather than an "exploit".

------
maltalex
> While there are some shady services to buy fake Github stars, with this
> exploit a company could just pay someone and get their repository with real
> user stars.

Is that a thing?

That link to duckduckgo doesn't return anything relevant.

