Slashdot Mirror

← Back to Stories (view on slashdot.org)

Should GitHub Allow Username Reuse? (donatstudios.com)

Posted by BeauHD on from the fundamentally-flawed dept.

Jesse Donat argues via Donut Studios why GitHub should never allow usernames to be valid again once they are deleted. He provides an example of a user who deleted his GitHub account and personal domain with a popular tool used for embedding data files into Go binaries. "While this is within his rights to do, this broke a dependency many people had within their projects," Donat writes. "To fix this, some users of the project recreated the account and the repository based on a fork of the project." Donat goes on to write: Allowing username reuse completely breaks any trust that what I pull is what it claims to be. What if this user had been malicious? It may have taken a while before someone actually noticed this wasn't the original user and the code was doing something more than it claimed to.

While Go's "go get" functionality is no doubt naive and just pulls the head of a repository, this is not exclusively Go's problem as this affects any package manager that runs on tags. Simply tag malicious changes beyond the current release and it would be deployed to many users likely with little actual review.

45 of 84 comments (clear)

  1. better question: should github allow morons by slashdice · · Score: 2, Insightful

    because it's not a problem with github; it's a problem with morons misusing github.

    --
    Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.
    1. Re:better question: should github allow morons by Anonymous Coward · · Score: 5, Funny

      Here's an idea: When a github account is deleted, after a short period github starts publishing random garbage (but valid git) at all the repo's urls. If this breaks your application, you are a moron.

    2. Re:better question: should github allow morons by slashdice · · Score: 4, Funny

      They already detect if there are golang or javascript source code. That's a good starting point for moron removal.

      --
      Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.
    3. Re:better question: should github allow morons by rmdingler · · Score: 1

      And how exactly would GitHub go about implementing a system that categorically excludes "morons"?

      One question: "Do you believe your contributions to this website are (a)bigly or (b)cromulent?"

      If a user chooses (a) or (b), all the evidence points to moron.

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

    4. Re:better question: should github allow morons by spire3661 · · Score: 1

      You IGNORE the morons, not dumb it down.

      --
      Good-bye
    5. Re:better question: should github allow morons by sg_oneill · · Score: 1

      because it's not a problem with github; it's a problem with morons misusing github.

      Shrugging off a probblem and saying "Its misuse, its not us" was exactly the attitude microsoft took to security in the mid ninteys that gave windows the attrocious reputation for security it has.

      Username re-use is a LONG established security fail, especially in conjunction with githubs provision of security crtitical REST endpoints. Sure it requires a malicious human to exploit the vunerability, but thats true of all security failures.

      --
      Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
    6. Re:better question: should github allow morons by Anonymous Coward · · Score: 1

      And how exactly would GitHub go about implementing a system that categorically excludes "morons"?

      They shouldn't. Users should stop using software managed by morons.

      Hotlinking web content was bad enough. We know it breaks and we know why. We also know that the topmost hoster is free to serve hello.jpg to any asshole who hotlinks.

      Hotlinking code, now that is a whole other level of stupidity. That person have no business maintaining code.
      If you want to use another library you pull in a local copy. If you want to keep updated you update you local copy and test it against with your code.
      If your code breaks because someone else took down their code then you are the one to blame.

    7. Re:better question: should github allow morons by ebvwfbw · · Score: 1

      I predict it would take about a month to a year for you - AC - to be that moron.

    8. Re:better question: should github allow morons by K.+S.+Kyosuke · · Score: 1

      after a short period github starts publishing random garbage

      But how would you distinguish this from the previous state of affairs?

      --
      Ezekiel 23:20
  2. No. by QuietLagoon · · Score: 1

    No. No. No.

  3. Irrelevant by chrysalis · · Score: 4, Insightful

    A URL is not tied to an identity. The only way to verify who wrote the code is to use digital signatures.

    --
    {{.sig}}
    1. Re:Irrelevant by tepples · · Score: 1

      How would the public key for each author be verified? TOFU? International travel to code signing parties?

    2. Re:Irrelevant by swillden · · Score: 1

      No need for signatures. Just always depend on a specific Git commit, identified by hash, for automatically retrieving dependencies. Also prevents changes from breaking stuff.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    3. Re:Irrelevant by TheRaven64 · · Score: 1

      You don't need it to be verified, you need it to be consistent. You are not verifying that the author of X is a specific individual, you are verifying that the author of X version 1.1 is the same as the author of X version 1.0. If both are signed with the same key, then you can be fairly confident of this (not completely, because the key may still have been compromised, but a lot more so than with two unsigned binaries).

      --
      I am TheRaven on Soylent News
    4. Re:Irrelevant by tepples · · Score: 1

      How would the public key for each author be verified? TOFU?

      you are verifying that the author of X version 1.1 is the same as the author of X version 1.0.

      So TOFU (trust on first use), as I suspected. Use of TOFU raises two follow-up questions:

      1. If setting up a new machine, how would you already have the public key for the author of X version 1.0?
      2. For a brand-new project, how would the author of X version 1.0 gain reputation for the project's public key?

    5. Re: Irrelevant by swillden · · Score: 1

      Git hashes aren't intended to be cryptographic strength. (That is, they aren't claimed to provide protection from collision attacks.)

      Bah. While SHA-1 is mildly vulnerable to collision attacks, an attacker would need to execute a preimage attack to successfully insert bad code in the threat model under discussion. SHA-1 is not vulnerable to preimage attacks. Not yet, anyway, and I think it's unlikely to be.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    6. Re:Irrelevant by Gr8Apes · · Score: 1

      So TOFU (trust on first use), as I suspected. Use of TOFU raises two follow-up questions:

      I would hope you'd verify the codebase on first use. If not... well, there's some other word for what you are...

      --
      The cesspool just got a check and balance.
    7. Re:Irrelevant by tepples · · Score: 1

      I would hope you'd verify the codebase on first use.

      How is that done on a new machine?

    8. Re:Irrelevant by Gr8Apes · · Score: 1

      For the very very first initial verification, you use your buildable system and verify the codebase and build it. Compare to what you installed. Now reinstall with an alternate system from a different source, build your target system and compare the 2 builds. If you're really wanting to verify, do a third install (or LiveCD) and repeat. Then, after you're all done verifying and building your now validated source, you install your verified build and you have a trusted initial install. It's a lot of work, but if you want to be sure, it's the only way.

      Or you trust common components built and used by many others for your base system.

      But, IMHO, the original posting was referring to components you include in your own products that you develop. In this case, you should only include things you build yourself. The Maven repo is not a trusted source no matter what a bunch of people think. You should create source copies in your build system for every component you use, and build and test each one. This puts the entire source code you're working with under your control, and you can vouch for it, as is necessary for certain levels of security and accountability. And yes, this is a pain in the ass if you only need 1 function from a library. It forces you to do some reckoning instead of haphazardly including 100 Apache libraries. In some cases, you'll wind up just copying the base functionality that you need into your codebase base, reducing your exposure. Which is the idea.

      --
      The cesspool just got a check and balance.
  4. Problem with package manager, not repository by guruevi · · Score: 5, Informative

    The package manager and dependency programmer should check either the hash or another cryptographic property of the code to authenticate the code.

    This is the same as someone re-registering an expired domain or simply poisoning the repository or even hacking the dns in your router. Unless you can check you have an authentic package, signed by a known author, you're purely depending on the goodwill of the Internet.

    I would think this is kind of mandatory but I guess Go/JavaScript developers don't need to think about security, the language/platform is secure.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
    1. Re:Problem with package manager, not repository by Lord_Jeremy · · Score: 1

      Amusingly enough, Git already provides the solution to this problem cryptographically. Git revisions have a SHA1 hash. I just looked it up and the built-in Go package manager (invoked as `go get`) does not have any way to specify a revision hash or any other head marker of a Git repo. About a year ago, the language itself added some type of support for specific revisions (some dependency management they called "vendoring") but unless a specific hash is required for every dependency, you've still got the vulnerability.

      As an engineering team leader, it completely baffles me that you could rely on a dependency management system that doesn't care about the version of the module its fetching. Obviously it's entirely possible (and for some projects, could be likely) that the HEAD of the Git repo is unstable, if not completely broken at any given time.

  5. Don*a*t Studios by donatj · · Score: 1

    Spelled my last name wrong the second time but not the first ;)

    1. Re:Don*a*t Studios by Anonymous Coward · · Score: 1

      I bet everyone calls you donut

    2. Re:Don*a*t Studios by slashdice · · Score: 1

      hey, you know who's the most popular guy at the nude beach? He's carrying two cups of coffee and a dozen donuts.

      --
      Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.
  6. Public keys? Signing? by lorien420 · · Score: 1

    I'm not sure why there isn't a PKI system for this like with ssh or other open source projects. Once you've established the trust it would then warn you if it was signed with a different key. It's shocking that this most basic warning system doesn't exist.

    --
    "[We'll be] really getting inside your head and making it an unpleasant place to be" -- Trent Reznor
    1. Re: Public keys? Signing? by guruevi · · Score: 1

      It does. Check apt or yum for example. This is about code thrown together in Go and similar problems exist in lots of JavaScript code managers, I'm sure those languages are so secure they don't need to be checked.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
  7. Non issue by klingens · · Score: 1

    This doesn't solve anything. Just like various browser extensions for Chrome or whole Android Apps are sold and then made into adware or worse. There the whole account is basically bought, and the same can be done in github. If people continue to misuse github as a package repository, it will happen sooner or later.

    1. Re:Non issue by RockDoctor · · Score: 1
      One would hope that the PHBs who buy $Project$ will have learned to specify that buying $Project$ includes all private keys associated with $Project$. Put it in the contract.

      Does this conflict with concepts of code ownership and responsibility? Maybe. And, so?

      --
      Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
  8. append by supernova87a · · Score: 1

    Well, maybe they should do something like give everyone the equivalent of a date of birth at the end of the username, so that people can be distinguished even if they have the same core name.

    Otherwise, as time goes on, won't we start to run out of names if you can never reuse them?

    How do we deal with this problem for actual human beings who have similar names?

    1. Re:append by Misagon · · Score: 1

      Asking users to expose their birth dates is not a good idea.
      In some countries, birth dates are considered sensitive information.
      Either way, the data could be harvested by a third party and used for targeted advertising or more nefarious purposes.

      --
      "We mustn't be caught by surprise by our own advancing technology" -- Aldous Huxley
    2. Re:append by RockDoctor · · Score: 1

      everyone the equivalent of a date of birth

      Every user name, not every person. And in the world of crypto, I think you mean "a grain of salt", not a birth date.

      A perfectly reasonable use case is for "Joe" to have a Github account for the projects someone pays her to work on in the office, and a second account for his personal project tracking wombat breeding. And to extend that case, since I'm swapping Joe's gender-ish pronouns randomly, posit that "Joe" tries coding a FaceSpace-a-like that has gender fluidity at it's core concept, with 57 different "gender identities" (I heard a rumour that Facebook have 51 "internal" genders ; I don't use it and don't know, or care). "Joe" being both canny, and schizophrenic, decides on using a whole new identity including all security coding, private keys etc. And when Farcebook decides to buy that work for a modest fortune, then the whole kit and kaboodle of code, passwords, and public and secret keys and all and all can be passed over like a hot potato, while "Joe" takes the money and buys a wombat-wanking farm with ne'er a backwards glance.

      --
      Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
  9. Why should access based on username at all? by mark-t · · Score: 1, Interesting

    .... it should be based entirely on some unique identifier that people don't ordinarily use to identify the person, but can be easily discovered whenever necessary.

    A username should serve only as a human-readable identifier, it should not serve as an identifier that is used by itself for any security purposes at all. If a person changes their username, their previous name should be available for reuse, just as a disconnected phone number is, but in the case of usernames, you could still readily tell the previous user from the current one because the unique identifier could be checked.

    If a person doesn't think to check the unique ID, then that's their own bloody fault... about on par with a person not checking that a cashier has handed them back the right amount of change and not noticing any discrepancy until they got home.

    --
    File under 'M' for 'Manic ranting'
  10. If this problem broke your build system by Anonymous Coward · · Score: 2, Interesting

    Then you're a dangerous amateur and you should immediately stop developing software for the good of all humanity.

  11. Establishing trust on fresh machine by tepples · · Score: 1

    Establishing the trust is another big issue, especially when bringing up a particular environment for the first time on a given machine. How many people make a point of verifying the server key fingerprint the first time they connect to a particular SSH server?

  12. if this is a common problem for you... by phantomfive · · Score: 1

    If this is a common problem for you, then you are choosing the wrong projects to depend on.

    --
    "First they came for the slanderers and i said nothing."
  13. Yes, because you should be checking GPG sigs by exabrial · · Score: 1

    Go has a pretty stupid package manager if it's relying on a URL to deliver binaries to clients. Any code (binary or source) should be signed and signatures cross-checked in a distributed registry. If you think github name resuse is going to stop this you need to switch languages.

  14. Source repo vs package manager by WinstonWolfIT · · Score: 1

    I think a source repository should be allowed to be deleted, and a username to not be reused. I think it's a huge mistake -- and I never have -- to use a repo as a dependency. Grab sources from a repo and if the head goes away stay with what you have. I have nuget packages that can't and should never be deleted.

  15. Re: Why can you delete stuff? by Wycliffe · · Score: 1

    They treat it as a foregone conclusion that this person should have this right. But if him deleting his account and all associated code off github can impact other projects, I fail to see why he should have that right.

    Github is a repo. Of course you should be able to delete projects, otherwise it would contain even more dead projects than it already does. You publish code and share it with the world. People download it and use it. You abandon it and delete the project. The problem is not you deleting it but the person depending on it to stay there. If I share something with you with an open source license then you are free to download a copy but if I decide to unpublisg then it's up to new users to snag it from someone who managed to download it before it disappeared.

  16. So...... by BitztreamNotARealNam · · Score: 1, Insightful

    How's life in the hypocrite lane?

    1. Re:So...... by BitztreamNotARealNam · · Score: 2

      I've already replied to you, Anonymous Coward.

  17. That's why we have SSH and PGP keys on GitHub by kriston · · Score: 1

    That's why we have SSH and PGP keys on GitHub.

    --

    Kriston

  18. isn't this what signed tags are for? by platinummyr · · Score: 1

    You sign a tag so that it's verifiable that no one else could have possibly created the tag, so if a malicious user gets your account name but not your private key, they can't create new tags.

  19. Yes, because... by c_g_hills · · Score: 1

    User accounts are not something unique to GitHub, and I would expect any service that lets you pick usernames to allow reuse, otherwise eventually you are left with random letters and numbers as users move on.

    12 best practices for user account, authorization and password management
    https://cloudplatform.googlebl...

  20. Re: Usernames should NEVER be reused anywhere by hackwrench · · Score: 1

    In that case, not even by the same person for more than one transaction. This is pointless.

  21. Re: Why can you delete stuff? by tepples · · Score: 1

    Yeah, most open source licenses allow others to fork the code and/or redistribute it, clearly indicated as such, since the creator still owns and legally controls the original code. Github telling a creator they can't delete their own repository would go far beyond that

    "You have deleted your repository. But prior to that, we have exercised our right under the GNU General Public License to fork your repository and make it available to the public through the same URL."