[pcthrowaway]

I think the people responding are missing the point.

I've also submitted PRs that just fixed typos, and I've considered that a legit contribution.

But if I maintained a high-profile project right now, I'd at least take pause in thinking some of these accounts could be spam reputation-boosting accounts that only make comments/PRs to lend legitimacy to the account when it ultimately stars some artificially boosted repo.

And making it harder to detect star manipulation erodes the signals of trust which have been used on Github, and ultimately can be a security concern (historically I've looked at numbers of contributors, stars, downloads, and issues open/closed as a rough idea of how secure some npm dependency might be.. basically the idea that "more eyeballs" can mean slightly less chance of a massive security issue, especially in security-critical code like oauth libraries)

I don't know what the solution is here. Maybe requiring people sign a CLA like some corporate open source projects do is at least enough of a barrier