Slashdot Mirror

← Back to Stories (view on slashdot.org)

Should GitHub Allow Username Reuse? (donatstudios.com)

Posted by BeauHD on from the fundamentally-flawed dept.

Jesse Donat argues via Donut Studios why GitHub should never allow usernames to be valid again once they are deleted. He provides an example of a user who deleted his GitHub account and personal domain with a popular tool used for embedding data files into Go binaries. "While this is within his rights to do, this broke a dependency many people had within their projects," Donat writes. "To fix this, some users of the project recreated the account and the repository based on a fork of the project." Donat goes on to write: Allowing username reuse completely breaks any trust that what I pull is what it claims to be. What if this user had been malicious? It may have taken a while before someone actually noticed this wasn't the original user and the code was doing something more than it claimed to.

While Go's "go get" functionality is no doubt naive and just pulls the head of a repository, this is not exclusively Go's problem as this affects any package manager that runs on tags. Simply tag malicious changes beyond the current release and it would be deployed to many users likely with little actual review.

7 of 84 comments (clear)

  1. better question: should github allow morons by slashdice · · Score: 2, Insightful

    because it's not a problem with github; it's a problem with morons misusing github.

    --
    Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.
    1. Re:better question: should github allow morons by Anonymous Coward · · Score: 5, Funny

      Here's an idea: When a github account is deleted, after a short period github starts publishing random garbage (but valid git) at all the repo's urls. If this breaks your application, you are a moron.

    2. Re:better question: should github allow morons by slashdice · · Score: 4, Funny

      They already detect if there are golang or javascript source code. That's a good starting point for moron removal.

      --
      Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.
  2. Irrelevant by chrysalis · · Score: 4, Insightful

    A URL is not tied to an identity. The only way to verify who wrote the code is to use digital signatures.

    --
    {{.sig}}
  3. Problem with package manager, not repository by guruevi · · Score: 5, Informative

    The package manager and dependency programmer should check either the hash or another cryptographic property of the code to authenticate the code.

    This is the same as someone re-registering an expired domain or simply poisoning the repository or even hacking the dns in your router. Unless you can check you have an authentic package, signed by a known author, you're purely depending on the goodwill of the Internet.

    I would think this is kind of mandatory but I guess Go/JavaScript developers don't need to think about security, the language/platform is secure.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  4. If this problem broke your build system by Anonymous Coward · · Score: 2, Interesting

    Then you're a dangerous amateur and you should immediately stop developing software for the good of all humanity.

  5. Re:So...... by BitztreamNotARealNam · · Score: 2

    I've already replied to you, Anonymous Coward.