this post was submitted on 23 May 2024
94 points (98.0% liked)
Programming
17408 readers
95 users here now
Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!
Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.
Hope you enjoy the instance!
Rules
Rules
- Follow the programming.dev instance rules
- Keep content related to programming in some way
- If you're posting long videos try to add in some form of tldr for those who don't want to watch videos
Wormhole
Follow the wormhole through a path of communities !webdev@programming.dev
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I agree it does look legitimate, I was just wondering what signs I should look out for in general. Like I'm sure fake GitHub engagement must be a thing, but I don't know how widespread it is and I don't know what the threshold is before a project can be considered definitely real. It sounds like you're saying the level of engagement on this project is well beyond what can be considered sketchy, which is helpful information. Thanks
for a large project, you can probably look at the history of issues, if there are lots of issues that are 5 years old, it's almost certainly legit
Don’t forget the 300-comment-long “+1” feature request chains
As a software developer you should have a bit of a head start - you can read the code - one of the big pluses of open source projects is it's all there in the open. Even if not familiar with the specific language used you can see the source and get a rough idea of scope and complexity.
And look at the Github details like the age, the frequency between releases, commits, forks. Malicious projects don't stick around for long on a host site like that, and they don't get 1000s of stars or lots of engagement from legitimate users. It's very difficult to fake that.
Look at the project website. Real projects have active forums, detailed wikis, and evidence of user engagement. You'll see people recommending the project elsewhere on the net if you search, or writing independent tutorials on how to deploy or use it, or reviews on YouTube etc. Look for testimonials and user experiences.
Also look at where the software is deployed and recommended. If it's included in big name Linux distros repos thats a good sign.
Look at all the things you'd be looking at for paid software to see it's actually in use and not a scam.
And try it out - it's easy to set up a VM and deploy something in a sandbox safe environment and get a feeling if it does what it claims to do. Whether that be a cut down system with docker or an entire OS in the sandbox to stress test the software and out it through its paces.
There are so many possible elements to doing "due diligence" to ensure it's legitimate but also the right solution for your needs.