Should GitHub Allow Username Reuse?

Jesse Donat argues via Donut Studios why GitHub should never allow usernames to be valid again once they are deleted. He provides an example of a user who deleted his GitHub account and personal domain with a popular tool used for embedding data files into Go binaries. "While this is within his rights to do, this broke a dependency many people had within their projects," Donat writes. "To fix this, some users of the project recreated the account and the repository based on a fork of the project." Donat goes on to write: Allowing username reuse completely breaks any trust that what I pull is what it claims to be. What if this user had been malicious? It may have taken a while before someone actually noticed this wasn't the original user and the code was doing something more than it claimed to.

While Go's "go get" functionality is no doubt naive and just pulls the head of a repository, this is not exclusively Go's problem as this affects any package manager that runs on tags. Simply tag malicious changes beyond the current release and it would be deployed to many users likely with little actual review.

Why should access based on username at all?

[mark-t]

.... it should be based entirely on some unique identifier that people don't ordinarily use to identify the person, but can be easily discovered whenever necessary.

A username should serve only as a human-readable identifier, it should not serve as an identifier that is used by itself for any security purposes at all. If a person changes their username, their previous name should be available for reuse, just as a disconnected phone number is, but in the case of usernames, you could still readily tell the previous user from the current one because the unique identifier could be checked.

If a person doesn't think to check the unique ID, then that's their own bloody fault... about on par with a person not checking that a cashier has handed them back the right amount of change and not noticing any discrepancy until they got home.

If this problem broke your build system

Then you're a dangerous amateur and you should immediately stop developing software for the good of all humanity.