Slashdot Mirror

← Back to Stories (view on slashdot.org)

Should GitHub Allow Username Reuse? (donatstudios.com)

Posted by BeauHD on from the fundamentally-flawed dept.

Jesse Donat argues via Donut Studios why GitHub should never allow usernames to be valid again once they are deleted. He provides an example of a user who deleted his GitHub account and personal domain with a popular tool used for embedding data files into Go binaries. "While this is within his rights to do, this broke a dependency many people had within their projects," Donat writes. "To fix this, some users of the project recreated the account and the repository based on a fork of the project." Donat goes on to write: Allowing username reuse completely breaks any trust that what I pull is what it claims to be. What if this user had been malicious? It may have taken a while before someone actually noticed this wasn't the original user and the code was doing something more than it claimed to.

While Go's "go get" functionality is no doubt naive and just pulls the head of a repository, this is not exclusively Go's problem as this affects any package manager that runs on tags. Simply tag malicious changes beyond the current release and it would be deployed to many users likely with little actual review.

84 comments

  1. Yes, they should by Anonymous Coward · · Score: 0

    Maybe next time you'll actually check before blindly downloading code from the internet.

  2. better question: should github allow morons by slashdice · · Score: 2, Insightful

    because it's not a problem with github; it's a problem with morons misusing github.

    --
    Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.
    1. Re:better question: should github allow morons by Anonymous Coward · · Score: 0

      And how exactly would GitHub go about implementing a system that categorically excludes "morons"? You are always going to have people misusing platforms. Even if GitHub publishes a guide that states how and how not to use GitHub, its going to get ignored. A better way to deal with it is to mitigate the impact that it could cause.

    2. Re:better question: should github allow morons by Anonymous Coward · · Score: 5, Funny

      Here's an idea: When a github account is deleted, after a short period github starts publishing random garbage (but valid git) at all the repo's urls. If this breaks your application, you are a moron.

    3. Re:better question: should github allow morons by slashdice · · Score: 4, Funny

      They already detect if there are golang or javascript source code. That's a good starting point for moron removal.

      --
      Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.
    4. Re:better question: should github allow morons by rmdingler · · Score: 1

      And how exactly would GitHub go about implementing a system that categorically excludes "morons"?

      One question: "Do you believe your contributions to this website are (a)bigly or (b)cromulent?"

      If a user chooses (a) or (b), all the evidence points to moron.

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

    5. Re:better question: should github allow morons by spire3661 · · Score: 1

      You IGNORE the morons, not dumb it down.

      --
      Good-bye
    6. Re:better question: should github allow morons by Anonymous Coward · · Score: 0

      Yes! Thank you.
      Not to long ago I was on #postfix asking for help for some problem I had that I couldn't understand from reading the manual. The people in the channel wouldn't even answer any questions or say anything until I created some super-specific environment and put all of my config files up on a very specific paste server and on and on, and I asked why couldn't they just answer my questions and they refused to even answer that. Finally, after doing everything they said they were just going on with insults about how stupid my settings were. I gave up and said something along the lines of how they should be more helpful and less rude and this one guy came back with a diatribe about how cromulent he was. I was like WTF? Who even uses that word? And is this opposite day?

      Turns out, that it's a trend in shitty con valley to use that word and be an epic douche.

    7. Re: better question: should github allow morons by Anonymous Coward · · Score: 0

      That sounds terrible. I hope you got a refund for all the money you paid them. The nerve of some people. It not like you are a non paying customer looking for free help and then being a dick about not wanting to articulate nd document the problem you are claiming exists so they can see it is reproducible and not a pebkac.

    8. Re:better question: should github allow morons by sg_oneill · · Score: 1

      because it's not a problem with github; it's a problem with morons misusing github.

      Shrugging off a probblem and saying "Its misuse, its not us" was exactly the attitude microsoft took to security in the mid ninteys that gave windows the attrocious reputation for security it has.

      Username re-use is a LONG established security fail, especially in conjunction with githubs provision of security crtitical REST endpoints. Sure it requires a malicious human to exploit the vunerability, but thats true of all security failures.

      --
      Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
    9. Re: better question: should github allow morons by Anonymous Coward · · Score: 0

      Lol postfix, let someone else have the headache of running an email server. Office 365 is surprisingly usable now. After migrating from postfix to qmail to hmailserver to office365, I am finally not spending stupid amount of time on email.

    10. Re:better question: should github allow morons by Anonymous Coward · · Score: 1

      And how exactly would GitHub go about implementing a system that categorically excludes "morons"?

      They shouldn't. Users should stop using software managed by morons.

      Hotlinking web content was bad enough. We know it breaks and we know why. We also know that the topmost hoster is free to serve hello.jpg to any asshole who hotlinks.

      Hotlinking code, now that is a whole other level of stupidity. That person have no business maintaining code.
      If you want to use another library you pull in a local copy. If you want to keep updated you update you local copy and test it against with your code.
      If your code breaks because someone else took down their code then you are the one to blame.

    11. Re:better question: should github allow morons by ebvwfbw · · Score: 1

      I predict it would take about a month to a year for you - AC - to be that moron.

    12. Re: better question: should github allow morons by Anonymous Coward · · Score: 0

      we can't all be windows using whores like you.

    13. Re:better question: should github allow morons by K.+S.+Kyosuke · · Score: 1

      after a short period github starts publishing random garbage

      But how would you distinguish this from the previous state of affairs?

      --
      Ezekiel 23:20
  3. No. by QuietLagoon · · Score: 1

    No. No. No.

  4. Irrelevant by chrysalis · · Score: 4, Insightful

    A URL is not tied to an identity. The only way to verify who wrote the code is to use digital signatures.

    --
    {{.sig}}
    1. Re:Irrelevant by tepples · · Score: 1

      How would the public key for each author be verified? TOFU? International travel to code signing parties?

    2. Re:Irrelevant by Anonymous Coward · · Score: 0

      perhaps some international secret network of trust authorities and trust delegation.

    3. Re:Irrelevant by swillden · · Score: 1

      No need for signatures. Just always depend on a specific Git commit, identified by hash, for automatically retrieving dependencies. Also prevents changes from breaking stuff.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    4. Re:Irrelevant by Anonymous Coward · · Score: 0

      still relevant...

      a project or repo at github.com/someproject is accessed by *that* url, not some mismash like github.com/93f87c95-d2a8-4b8f-9995-6d8943685a45

      so, NO. github and similar should not, should never ever, reuse usernames.

      hell, even email providers should not reuse them. hackers and spammers and scammers take 'em and swipe what they can (data, passwords, password resets, online accounts to steam etc) based on the mail that does come in once they've been given a previously used username (which those hackers and spammers and scammers know exists because they've been sending spam and scams and viruses and worms and ransomware with trackers in them for eons).

    5. Re: Irrelevant by Anonymous Coward · · Score: 0

      Git hashes aren't intended to be cryptographic strength. (That is, they aren't claimed to provide protection from collision attacks.)

    6. Re:Irrelevant by TheRaven64 · · Score: 1

      You don't need it to be verified, you need it to be consistent. You are not verifying that the author of X is a specific individual, you are verifying that the author of X version 1.1 is the same as the author of X version 1.0. If both are signed with the same key, then you can be fairly confident of this (not completely, because the key may still have been compromised, but a lot more so than with two unsigned binaries).

      --
      I am TheRaven on Soylent News
    7. Re:Irrelevant by tepples · · Score: 1

      How would the public key for each author be verified? TOFU?

      you are verifying that the author of X version 1.1 is the same as the author of X version 1.0.

      So TOFU (trust on first use), as I suspected. Use of TOFU raises two follow-up questions:

      1. If setting up a new machine, how would you already have the public key for the author of X version 1.0?
      2. For a brand-new project, how would the author of X version 1.0 gain reputation for the project's public key?

    8. Re: Irrelevant by swillden · · Score: 1

      Git hashes aren't intended to be cryptographic strength. (That is, they aren't claimed to provide protection from collision attacks.)

      Bah. While SHA-1 is mildly vulnerable to collision attacks, an attacker would need to execute a preimage attack to successfully insert bad code in the threat model under discussion. SHA-1 is not vulnerable to preimage attacks. Not yet, anyway, and I think it's unlikely to be.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    9. Re: Irrelevant by Anonymous Coward · · Score: 0

      Exactly. And if your Go code isn't pretty anymore then use your own git repo. If it can't be replaced in a few hours, you're going to want your own backup. Always review any code you pull in. The git username policy is fine we don't need to copy policies from module repos which should be signed and archived after a short undo period. If Go wasn't playing fast and loose this wouldn't be an issue.

    10. Re: Irrelevant by Anonymous Coward · · Score: 0

      If you want to make things easier, we'll need a RAFT consensus or block chain ledger to validate code on a majority of trust points, and trusted notaries to gate validation.

    11. Re:Irrelevant by Gr8Apes · · Score: 1

      So TOFU (trust on first use), as I suspected. Use of TOFU raises two follow-up questions:

      I would hope you'd verify the codebase on first use. If not... well, there's some other word for what you are...

      --
      The cesspool just got a check and balance.
    12. Re:Irrelevant by tepples · · Score: 1

      I would hope you'd verify the codebase on first use.

      How is that done on a new machine?

    13. Re:Irrelevant by Gr8Apes · · Score: 1

      For the very very first initial verification, you use your buildable system and verify the codebase and build it. Compare to what you installed. Now reinstall with an alternate system from a different source, build your target system and compare the 2 builds. If you're really wanting to verify, do a third install (or LiveCD) and repeat. Then, after you're all done verifying and building your now validated source, you install your verified build and you have a trusted initial install. It's a lot of work, but if you want to be sure, it's the only way.

      Or you trust common components built and used by many others for your base system.

      But, IMHO, the original posting was referring to components you include in your own products that you develop. In this case, you should only include things you build yourself. The Maven repo is not a trusted source no matter what a bunch of people think. You should create source copies in your build system for every component you use, and build and test each one. This puts the entire source code you're working with under your control, and you can vouch for it, as is necessary for certain levels of security and accountability. And yes, this is a pain in the ass if you only need 1 function from a library. It forces you to do some reckoning instead of haphazardly including 100 Apache libraries. In some cases, you'll wind up just copying the base functionality that you need into your codebase base, reducing your exposure. Which is the idea.

      --
      The cesspool just got a check and balance.
  5. Problem with package manager, not repository by guruevi · · Score: 5, Informative

    The package manager and dependency programmer should check either the hash or another cryptographic property of the code to authenticate the code.

    This is the same as someone re-registering an expired domain or simply poisoning the repository or even hacking the dns in your router. Unless you can check you have an authentic package, signed by a known author, you're purely depending on the goodwill of the Internet.

    I would think this is kind of mandatory but I guess Go/JavaScript developers don't need to think about security, the language/platform is secure.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
    1. Re:Problem with package manager, not repository by Lord_Jeremy · · Score: 1

      Amusingly enough, Git already provides the solution to this problem cryptographically. Git revisions have a SHA1 hash. I just looked it up and the built-in Go package manager (invoked as `go get`) does not have any way to specify a revision hash or any other head marker of a Git repo. About a year ago, the language itself added some type of support for specific revisions (some dependency management they called "vendoring") but unless a specific hash is required for every dependency, you've still got the vulnerability.

      As an engineering team leader, it completely baffles me that you could rely on a dependency management system that doesn't care about the version of the module its fetching. Obviously it's entirely possible (and for some projects, could be likely) that the HEAD of the Git repo is unstable, if not completely broken at any given time.

  6. Don*a*t Studios by donatj · · Score: 1

    Spelled my last name wrong the second time but not the first ;)

    1. Re:Don*a*t Studios by Anonymous Coward · · Score: 1

      I bet everyone calls you donut

    2. Re:Don*a*t Studios by slashdice · · Score: 1

      hey, you know who's the most popular guy at the nude beach? He's carrying two cups of coffee and a dozen donuts.

      --
      Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.
    3. Re:Don*a*t Studios by donatj · · Score: 0

      You bet right! My entire life.

    4. Re:Don*a*t Studios by Anonymous Coward · · Score: 0

      1) Do you craft Artisanal Donuts?
      2) Would you build a Gay Donut for a gay couple

    5. Re:Don*a*t Studios by Anonymous Coward · · Score: 0

      Carrying donuts in your man-purse and trying to give donuts from your man-purse to naked ladies at the beach do nut make you popular.

    6. Re:Don*a*t Studios by Anonymous Coward · · Score: 0

      What a terrible life. Have you tried killing yourself.

  7. Public keys? Signing? by lorien420 · · Score: 1

    I'm not sure why there isn't a PKI system for this like with ssh or other open source projects. Once you've established the trust it would then warn you if it was signed with a different key. It's shocking that this most basic warning system doesn't exist.

    --
    "[We'll be] really getting inside your head and making it an unpleasant place to be" -- Trent Reznor
    1. Re: Public keys? Signing? by guruevi · · Score: 1

      It does. Check apt or yum for example. This is about code thrown together in Go and similar problems exist in lots of JavaScript code managers, I'm sure those languages are so secure they don't need to be checked.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    2. Re:Public keys? Signing? by Anonymous Coward · · Score: 0

      This sounds like the perfect application for Keybase's user model. I wonder how hard it would be to add a pre-fetch hook to git that would check for and cache a public key on the account or repository.

  8. Non issue by klingens · · Score: 1

    This doesn't solve anything. Just like various browser extensions for Chrome or whole Android Apps are sold and then made into adware or worse. There the whole account is basically bought, and the same can be done in github. If people continue to misuse github as a package repository, it will happen sooner or later.

    1. Re:Non issue by RockDoctor · · Score: 1
      One would hope that the PHBs who buy $Project$ will have learned to specify that buying $Project$ includes all private keys associated with $Project$. Put it in the contract.

      Does this conflict with concepts of code ownership and responsibility? Maybe. And, so?

      --
      Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
  9. Reuse is fine, need a waiting period by Anonymous Coward · · Score: 0

    Reuse is fine, but there should be a period of inactivity. Many mail providers use 6 months to a year.

  10. append by supernova87a · · Score: 1

    Well, maybe they should do something like give everyone the equivalent of a date of birth at the end of the username, so that people can be distinguished even if they have the same core name.

    Otherwise, as time goes on, won't we start to run out of names if you can never reuse them?

    How do we deal with this problem for actual human beings who have similar names?

    1. Re:append by Misagon · · Score: 1

      Asking users to expose their birth dates is not a good idea.
      In some countries, birth dates are considered sensitive information.
      Either way, the data could be harvested by a third party and used for targeted advertising or more nefarious purposes.

      --
      "We mustn't be caught by surprise by our own advancing technology" -- Aldous Huxley
    2. Re:append by Anonymous Coward · · Score: 0

      Asking users to expose their birth dates is not a good idea.
      In some countries, birth dates are considered sensitive information.
      Either way, the data could be harvested by a third party and used for targeted advertising or more nefarious purposes.

      supernova87a wrote "the equivalent of a date of birth at the end of the username," so the suggestion wasn't to use the user's DOB but presumably something like the account date of birth or a generation count in order to make the account identifier unique. Just like a filesystem inode might have a generation counter that gets incremented whenever the inode entry is reused for a new file.

    3. Re:append by RockDoctor · · Score: 1

      everyone the equivalent of a date of birth

      Every user name, not every person. And in the world of crypto, I think you mean "a grain of salt", not a birth date.

      A perfectly reasonable use case is for "Joe" to have a Github account for the projects someone pays her to work on in the office, and a second account for his personal project tracking wombat breeding. And to extend that case, since I'm swapping Joe's gender-ish pronouns randomly, posit that "Joe" tries coding a FaceSpace-a-like that has gender fluidity at it's core concept, with 57 different "gender identities" (I heard a rumour that Facebook have 51 "internal" genders ; I don't use it and don't know, or care). "Joe" being both canny, and schizophrenic, decides on using a whole new identity including all security coding, private keys etc. And when Farcebook decides to buy that work for a modest fortune, then the whole kit and kaboodle of code, passwords, and public and secret keys and all and all can be passed over like a hot potato, while "Joe" takes the money and buys a wombat-wanking farm with ne'er a backwards glance.

      --
      Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
  11. Numbers not names. by Anonymous Coward · · Score: 0

    The solution is simple. Give each user account a unique, (never may be reused number,) and allow the user to pick his/her name; then make sure users understand that only the number is the identifier, and the name is just a "nick". As for users permanently disabling their accounts, I'm not sure how this directly impacts other github users, (not being intimately familiar with github internals, but you just make it so that whenever an account is deactivated, shut off, locked out, etc., that all things belonging thereto default to someone above the original user, (i.e., the github user account that has been open longest, or the one perhaps in the relevant field whose account has been open/active longest, or the one open the longest that has been active fairly recently and routinely, and make that account the point of contact for anyone (or group) who work on that project.

    User name reuse can be problematic when people don't know that the NEW user with that name may NOT be the same as the OLD user with that name, so that should never be allowed as such, without some mechanism. Perhaps include with usernames the date the account was established in parentheses after a user name, somewhat like how they do on /. but instead of user nickname (user number) have it be User ID (variable/user selected) and date established, followed by Unique User ID ACCOUNT Number

    So it could be something like:
     

    ReijnStrøm Project maintainer Slashdottier (20170125) UUAIDN: &h_000_000_000_001 posted this update to FAQ page on (date) ...

    This would indicate the user name "Slashdottier" whose account was established January 25th, 2017, and whose unique hexadecimal user ID number is... 1.

    Or however they do it on github. So then at least there is no ambiguity. Perhaps require each project to name a couple individuals who are designated to inherit a project if that account stops, deactivates, doesn't log in in a few years, etc.

    Just a thought.

    1. Re: Numbers not names. by Anonymous Coward · · Score: 0

      I'll use the same name on a different unreadable uuid. Heck I'll use a different name but in Cyrillic. Etc. Never stops

  12. Why should access based on username at all? by mark-t · · Score: 1, Interesting

    .... it should be based entirely on some unique identifier that people don't ordinarily use to identify the person, but can be easily discovered whenever necessary.

    A username should serve only as a human-readable identifier, it should not serve as an identifier that is used by itself for any security purposes at all. If a person changes their username, their previous name should be available for reuse, just as a disconnected phone number is, but in the case of usernames, you could still readily tell the previous user from the current one because the unique identifier could be checked.

    If a person doesn't think to check the unique ID, then that's their own bloody fault... about on par with a person not checking that a cashier has handed them back the right amount of change and not noticing any discrepancy until they got home.

    --
    File under 'M' for 'Manic ranting'
  13. If this problem broke your build system by Anonymous Coward · · Score: 2, Interesting

    Then you're a dangerous amateur and you should immediately stop developing software for the good of all humanity.

    1. Re:If this problem broke your build system by Anonymous Coward · · Score: 0

      What's so dangerous about having amateurs share code with each other? Professionally-written software also has dependencies, and sometimes the organizations maintaining those dependencies disappear. The business solution to this problem is code escrow. The GitHub solution is that the code is already open-source, so everyone already has local copies. That's why some users were able to replace the repository so easily.

  14. Why can you delete stuff? by Anonymous Coward · · Score: 0

    If you publish something on github, why does deleteing your account make that stuff go away?

    It kind of defeats the the idea of publishing s/w for other folks to incorporate into theirs.

    If somebody else wishes to take over an abandoned project, the projects using it can still get the old stuff by asking for a specific version.

    1. Re:Why can you delete stuff? by Anonymous Coward · · Score: 0

      Because git is shit.

      People like to pretend a git repo is an indelible record of every change made to a project, but it is nothing like that at all. You can force push to rewrite the history of any repo you control, destroying any record of previous versions which existed. If you are sufficiently malicious, you only need to steal someones password to completely ruin all their repos.

      Git is aptly named because git is Linus Torvalds most stupid idea ever.

    2. Re:Why can you delete stuff? by Anonymous Coward · · Score: 0
      My thoughts similarly. Specifically, this line in TFS caught my eye.

      He provides an example of a user who deleted his GitHub account and personal domain with a popular tool used for embedding data files into Go binaries. "While this is within his rights to do, this broke a dependency many people had within their projects," Donat writes.

      They treat it as a foregone conclusion that this person should have this right. But if him deleting his account and all associated code off github can impact other projects, I fail to see why he should have that right.

    3. Re: Why can you delete stuff? by Anonymous Coward · · Score: 0

      Because ultimately, licensed code, even under GPL and other permissive licenses, is still owned by the creator who gets to decide whether it is published on git or not.

      Yeah, most open source licenses allow others to fork the code and/or redistribute it, clearly indicated as such, since the creator still owns and legally controls the original code. Github telling a creator they can't delete their own repository would go far beyond that, in effect proclaiming that they had surrendered ownership and their work was now Public Domain.

    4. Re: Why can you delete stuff? by Wycliffe · · Score: 1

      They treat it as a foregone conclusion that this person should have this right. But if him deleting his account and all associated code off github can impact other projects, I fail to see why he should have that right.

      Github is a repo. Of course you should be able to delete projects, otherwise it would contain even more dead projects than it already does. You publish code and share it with the world. People download it and use it. You abandon it and delete the project. The problem is not you deleting it but the person depending on it to stay there. If I share something with you with an open source license then you are free to download a copy but if I decide to unpublisg then it's up to new users to snag it from someone who managed to download it before it disappeared.

    5. Re: Why can you delete stuff? by tepples · · Score: 1

      Yeah, most open source licenses allow others to fork the code and/or redistribute it, clearly indicated as such, since the creator still owns and legally controls the original code. Github telling a creator they can't delete their own repository would go far beyond that

      "You have deleted your repository. But prior to that, we have exercised our right under the GNU General Public License to fork your repository and make it available to the public through the same URL."

  15. Establishing trust on fresh machine by tepples · · Score: 1

    Establishing the trust is another big issue, especially when bringing up a particular environment for the first time on a given machine. How many people make a point of verifying the server key fingerprint the first time they connect to a particular SSH server?

  16. if this is a common problem for you... by phantomfive · · Score: 1

    If this is a common problem for you, then you are choosing the wrong projects to depend on.

    --
    "First they came for the slanderers and i said nothing."
  17. Yes, because you should be checking GPG sigs by exabrial · · Score: 1

    Go has a pretty stupid package manager if it's relying on a URL to deliver binaries to clients. Any code (binary or source) should be signed and signatures cross-checked in a distributed registry. If you think github name resuse is going to stop this you need to switch languages.

  18. Usernames should NEVER be reused anywhere by Anonymous Coward · · Score: 0

    This should be obvious, standard infosec policy in 2018. It should be blatantly obvious for corporate networks, e-mail hosts, banking, social media, and other such outlets, but really it should be a blanket policy everywhere.

    1. Re:Usernames should NEVER be reused anywhere by Anonymous Coward · · Score: 0

      This should be obvious, standard infosec policy in 2018. It should be blatantly obvious

      One would think. The trouble is that it's really fashionable today to pull uncritically from public repositories that are subject to identity hijacking, incompatible version bumps, and even the unintended introduction of regressions into working packages.

    2. Re: Usernames should NEVER be reused anywhere by hackwrench · · Score: 1

      In that case, not even by the same person for more than one transaction. This is pointless.

  19. Source repo vs package manager by WinstonWolfIT · · Score: 1

    I think a source repository should be allowed to be deleted, and a username to not be reused. I think it's a huge mistake -- and I never have -- to use a repo as a dependency. Grab sources from a repo and if the head goes away stay with what you have. I have nuget packages that can't and should never be deleted.

  20. Re:So, the TRUMP WH this is about then by Anonymous Coward · · Score: 0

    Of course. Fox Newz preys on them and then Pence prays on them because they are that stupid. It's how "republicans" get things they want. They dup the stupidest to believe these things and get these idiots to vote "republican" and then cash in. America: The Idiocracy. It's here.

    Good side is this. If America gets through it the "republicans" are gone. Trump, Kushner, and the rest are in prison. Then time to pop the bubbly.

  21. So...... by BitztreamNotARealNam · · Score: 1, Insightful

    How's life in the hypocrite lane?

    1. Re:So...... by BitztreamNotARealNam · · Score: 2

      I've already replied to you, Anonymous Coward.

  22. That's why we have SSH and PGP keys on GitHub by kriston · · Score: 1

    That's why we have SSH and PGP keys on GitHub.

    --

    Kriston

  23. Like a trademark by Anonymous Coward · · Score: 0

    Like a trademark

    A user id is like a trademark that never expires. No one should be able to hijack another person's trademark, even if the original code is deleted. This applies to a repository bank like
    Github.

    A URL is a different story, because a URL may have a generic name, like recipes.com. A user id should never be generic, or inherited like a person's name, or be able to be sold like a URL or a commodity.

  24. I literally.... by Anonymous Coward · · Score: 0

    have no idea what github is, so who cares? Github users I guess.

    1. Re: I literally.... by Anonymous Coward · · Score: 0

      You are obviously not a programmer then. Move along.

  25. Don't over-automate, dummies by Anonymous Coward · · Score: 0

    This is not a problem with Go or any other github-using frameworks or languages. This is a *process* issue. Any project manager, 'DevOps' house or poor schmuck on the dev team who has to handle the CI system just needs to ensure no one (and no build server) blindly auto-updates third party libs from external sources.

    Automate, but never *over* automate. Review update notifications manually, verify, stage and test them, before using in production.

  26. isn't this what signed tags are for? by platinummyr · · Score: 1

    You sign a tag so that it's verifiable that no one else could have possibly created the tag, so if a malicious user gets your account name but not your private key, they can't create new tags.

  27. Re: Irrelevant? More like relevant by Anonymous Coward · · Score: 0

    > Git hashes aren't intended to be cryptographic strength.

    That wasn't the suggestion, but I can understand how you would choose to pessimistically misunderstand the sentiment.

    > Git commit, identified by hash

    Many people know that the git hashes aren't cryptographically secure, but the git documentation spells it out for you.
    The suggestion was to create another hash for the intended purpose.

    SMH

  28. Re:Problem with the developer by Anonymous Coward · · Score: 0

    It's bitztream the autism-hating, custom EpiPen-hating, Musk-hating, Qualcomm-hating, Firefox tabs-hating, Slashdot editors-hating Slashdot troll!

  29. Yes, because... by c_g_hills · · Score: 1

    User accounts are not something unique to GitHub, and I would expect any service that lets you pick usernames to allow reuse, otherwise eventually you are left with random letters and numbers as users move on.

    12 best practices for user account, authorization and password management
    https://cloudplatform.googlebl...

  30. Why Is User Name Significant? by Anonymous Coward · · Score: 0

    2 extremes:

    Is it like a phone number? When you abandon a phone number (can't or won't port it to a new provider), it goes back into the pool and gets reused at some point.

    Is it like a Facebook account? Names do not get reused. When properly notified of death or the account gets deleted, Facebook archives them and prevents further updates. Lots of systems do something like this when an account or its owner goes away - things may remain online for some amount of time, but read-only, and future use of the account ID is prohibited.