Reputation Farming in OSS: A Threat to Building Trust
This issue complicates the open source and supply chain security space. For attacks like xz, such strategies can be used by attackers to build “fake” trust among fellow OSS community members. A few days ago, this discussion ignited in the OSSF Slack , which talked about the issue of credibility farming in several open source repositories. So, the issue revolves around GitHub (or equivalent platforms) accounts approving or commenting on old pull requests and issues that were already resolved or closed, where these meaningless contributions show up prominently on the user’s profile and activity feed, making their involvement seem more significant than it actually is, without closer look....