Social Proof is in the Pudding: The (Non)-Impact of Social Proof on Software Downloads

Researchers Lucas Shen and Gaurav Sood have published a provocative preprint titled 'Social Proof is in the Pudding: The (Non)-Impact of Social Proof on Software Downloads' on arXiv. The study directly challenges a common assumption in the open-source ecosystem: that developers rely heavily on social proof metrics like GitHub stars and download counts when choosing software. To test this, the researchers conducted two controlled field experiments on GitHub, the largest developer platform.

In the first experiment, they purchased 'stars' for a random set of new Python package repositories to artificially inflate their popularity. In the second, they manipulated the displayed number of human downloads for other packages. The results were strikingly clear: neither intervention produced a statistically detectable effect on subsequent real downloads, nor on broader engagement metrics like forks, pull requests, or issues. This indicates that the developer community's evaluation of open-source projects may be more sophisticated and less susceptible to superficial gamification than previously feared.

The findings carry significant implications for software supply chain security. A major concern has been that bad actors could easily game these visible metrics to promote malicious packages (malware or compromised dependencies) into widespread use. This research suggests that such an attack vector might be less effective than assumed, as developers appear to look beyond simple popularity signals. However, the authors note their study focused on new packages; the effect on established projects or different platforms remains an open question. The work provides a data-driven counterpoint to common growth-hacking practices in tech.