Should GitHub Allow Username Reuse?

Jesse Donat argues via Donut Studios why GitHub should never allow usernames to be valid again once they are deleted. He provides an example of a user who deleted his GitHub account and personal domain with a popular tool used for embedding data files into Go binaries. "While this is within his rights to do, this broke a dependency many people had within their projects," Donat writes. "To fix this, some users of the project recreated the account and the repository based on a fork of the project." Donat goes on to write: Allowing username reuse completely breaks any trust that what I pull is what it claims to be. What if this user had been malicious? It may have taken a while before someone actually noticed this wasn't the original user and the code was doing something more than it claimed to.

While Go's "go get" functionality is no doubt naive and just pulls the head of a repository, this is not exclusively Go's problem as this affects any package manager that runs on tags. Simply tag malicious changes beyond the current release and it would be deployed to many users likely with little actual review.

Re: Usernames should NEVER be reused anywhere

[hackwrench]

In that case, not even by the same person for more than one transaction. This is pointless.

better question: should github allow morons

[slashdice]

because it's not a problem with github; it's a problem with morons misusing github.

Re:better question: should github allow morons

[Anonymous Coward]

Here's an idea: When a github account is deleted, after a short period github starts publishing random garbage (but valid git) at all the repo's urls. If this breaks your application, you are a moron.

Re:

[ebvwfbw]

I predict it would take about a month to a year for you - AC - to be that moron.

Re:

[K. S. Kyosuke]

after a short period github starts publishing random garbage

But how would you distinguish this from the previous state of affairs?

Re:better question: should github allow morons

[slashdice]

They already detect if there are golang or javascript source code. That's a good starting point for moron removal.

Re:

[rmdingler]

And how exactly would GitHub go about implementing a system that categorically excludes "morons"?

One question: "Do you believe your contributions to this website are (a)bigly or (b)cromulent?"

If a user chooses (a) or (b), all the evidence points to moron.

Re:

[spire3661]

You IGNORE the morons, not dumb it down.

Re:

[Anonymous Coward]

And how exactly would GitHub go about implementing a system that categorically excludes "morons"?

They shouldn't. Users should stop using software managed by morons.

Hotlinking web content was bad enough. We know it breaks and we know why. We also know that the topmost hoster is free to serve hello.jpg to any asshole who hotlinks.

Hotlinking code, now that is a whole other level of stupidity. That person have no business maintaining code.
If you want to use another library you pull in a local copy. If you want to keep updated you update you local copy and test it against with your code.
If your code breaks

Re:

[sg_oneill]

because it's not a problem with github; it's a problem with morons misusing github.

Shrugging off a probblem and saying "Its misuse, its not us" was exactly the attitude microsoft took to security in the mid ninteys that gave windows the attrocious reputation for security it has.

Username re-use is a LONG established security fail, especially in conjunction with githubs provision of security crtitical REST endpoints. Sure it requires a malicious human to exploit the vunerability, but thats true of all securit

No.

[QuietLagoon]

No. No. No.

Irrelevant

[chrysalis]

A URL is not tied to an identity. The only way to verify who wrote the code is to use digital signatures.

Re:

[tepples]

How would the public key for each author be verified? TOFU? International travel to code signing parties?

Re:

[TheRaven64]

You don't need it to be verified, you need it to be consistent. You are not verifying that the author of X is a specific individual, you are verifying that the author of X version 1.1 is the same as the author of X version 1.0. If both are signed with the same key, then you can be fairly confident of this (not completely, because the key may still have been compromised, but a lot more so than with two unsigned binaries).

Re:

[tepples]

How would the public key for each author be verified? TOFU?

you are verifying that the author of X version 1.1 is the same as the author of X version 1.0.

So TOFU (trust on first use), as I suspected. Use of TOFU raises two follow-up questions:

1. If setting up a new machine, how would you already have the public key for the author of X version 1.0?
2. For a brand-new project, how would the author of X version 1.0 gain reputation for the project's public key?

Re:

[Gr8Apes]

So TOFU (trust on first use), as I suspected. Use of TOFU raises two follow-up questions:

I would hope you'd verify the codebase on first use. If not... well, there's some other word for what you are...

Re:

[tepples]

I would hope you'd verify the codebase on first use.

How is that done on a new machine?

Re:

[Gr8Apes]

For the very very first initial verification, you use your buildable system and verify the codebase and build it. Compare to what you installed. Now reinstall with an alternate system from a different source, build your target system and compare the 2 builds. If you're really wanting to verify, do a third install (or LiveCD) and repeat. Then, after you're all done verifying and building your now validated source, you install your verified build and you have a trusted initial install. It's a lot of work, but

Re:

[swillden]

No need for signatures. Just always depend on a specific Git commit, identified by hash, for automatically retrieving dependencies. Also prevents changes from breaking stuff.

Re:

[swillden]

Git hashes aren't intended to be cryptographic strength. (That is, they aren't claimed to provide protection from collision attacks.)

Bah. While SHA-1 is mildly vulnerable to collision attacks, an attacker would need to execute a preimage attack to successfully insert bad code in the threat model under discussion. SHA-1 is not vulnerable to preimage attacks. Not yet, anyway, and I think it's unlikely to be.

Problem with package manager, not repository

[guruevi]

The package manager and dependency programmer should check either the hash or another cryptographic property of the code to authenticate the code.

This is the same as someone re-registering an expired domain or simply poisoning the repository or even hacking the dns in your router. Unless you can check you have an authentic package, signed by a known author, you're purely depending on the goodwill of the Internet.

I would think this is kind of mandatory but I guess Go/JavaScript developers don't need to think about security, the language/platform is secure.

Re:

[Lord_Jeremy]

Amusingly enough, Git already provides the solution to this problem cryptographically. Git revisions have a SHA1 hash. I just looked it up and the built-in Go package manager (invoked as `go get`) does not have any way to specify a revision hash or any other head marker of a Git repo. About a year ago, the language itself added some type of support for specific revisions (some dependency management they called "vendoring") but unless a specific hash is required for every dependency, you've still got the vul

Don*a*t Studios

[donatj]

Spelled my last name wrong the second time but not the first ;)

Re:

[Anonymous Coward]

I bet everyone calls you donut

Re:

[slashdice]

hey, you know who's the most popular guy at the nude beach? He's carrying two cups of coffee and a dozen donuts.

Public keys? Signing?

[lorien420]

I'm not sure why there isn't a PKI system for this like with ssh or other open source projects. Once you've established the trust it would then warn you if it was signed with a different key. It's shocking that this most basic warning system doesn't exist.

Re: Public keys? Signing?

[guruevi]

It does. Check apt or yum for example. This is about code thrown together in Go and similar problems exist in lots of JavaScript code managers, I'm sure those languages are so secure they don't need to be checked.

Establishing trust on fresh machine

[tepples]

Establishing the trust is another big issue, especially when bringing up a particular environment for the first time on a given machine. How many people make a point of verifying the server key fingerprint the first time they connect to a particular SSH server?

Non issue

[klingens]

This doesn't solve anything. Just like various browser extensions for Chrome or whole Android Apps are sold and then made into adware or worse. There the whole account is basically bought, and the same can be done in github. If people continue to misuse github as a package repository, it will happen sooner or later.

Re:

[RockDoctor]

One would hope that the PHBs who buy $Project$ will have learned to specify that buying $Project$ includes all private keys associated with $Project$. Put it in the contract.

Does this conflict with concepts of code ownership and responsibility? Maybe. And, so?

append

[supernova87a]

Well, maybe they should do something like give everyone the equivalent of a date of birth at the end of the username, so that people can be distinguished even if they have the same core name.

Otherwise, as time goes on, won't we start to run out of names if you can never reuse them?

How do we deal with this problem for actual human beings who have similar names?

Re:

[Misagon]

Asking users to expose their birth dates is not a good idea.
In some countries, birth dates are considered sensitive information.
Either way, the data could be harvested by a third party and used for targeted advertising or more nefarious purposes.

Re:

[RockDoctor]

everyone the equivalent of a date of birth

Every user name, not every person. And in the world of crypto, I think you mean "a grain of salt", not a birth date.

A perfectly reasonable use case is for "Joe" to have a Github account for the projects someone pays her to work on in the office, and a second account for his personal project tracking wombat breeding. And to extend that case, since I'm swapping Joe's gender-ish pronouns randomly, posit that "Joe" tries coding a FaceSpace-a-like that has gender fluidi

Why should access based on username at all?

[mark-t]

.... it should be based entirely on some unique identifier that people don't ordinarily use to identify the person, but can be easily discovered whenever necessary.

A username should serve only as a human-readable identifier, it should not serve as an identifier that is used by itself for any security purposes at all. If a person changes their username, their previous name should be available for reuse, just as a disconnected phone number is, but in the case of usernames, you could still readily tell the

If this problem broke your build system

[Anonymous Coward]

Then you're a dangerous amateur and you should immediately stop developing software for the good of all humanity.

Re:

[tepples]

Yeah, most open source licenses allow others to fork the code and/or redistribute it, clearly indicated as such, since the creator still owns and legally controls the original code. Github telling a creator they can't delete their own repository would go far beyond that

"You have deleted your repository. But prior to that, we have exercised our right under the GNU General Public License to fork your repository and make it available to the public through the same URL."

Re: Why can you delete stuff?

[Wycliffe]

They treat it as a foregone conclusion that this person should have this right. But if him deleting his account and all associated code off github can impact other projects, I fail to see why he should have that right.

Github is a repo. Of course you should be able to delete projects, otherwise it would contain even more dead projects than it already does. You publish code and share it with the world. People download it and use it. You abandon it and delete the project. The problem is not you deleting it but the person depending on it to stay there. If I share something with you with an open source license then you are free to download a copy but if I decide to unpublisg then it's up to new users to snag it from som

So......

[BitztreamNotARealNam]

How's life in the hypocrite lane [slashdot.org]?

Re:

[BitztreamNotARealNam]

I've already replied to you [slashdot.org], Anonymous Coward.

if this is a common problem for you...

[phantomfive]

If this is a common problem for you, then you are choosing the wrong projects to depend on.

Yes, because you should be checking GPG sigs

[exabrial]

Go has a pretty stupid package manager if it's relying on a URL to deliver binaries to clients. Any code (binary or source) should be signed and signatures cross-checked in a distributed registry. If you think github name resuse is going to stop this you need to switch languages.

Source repo vs package manager

[WinstonWolfIT]

I think a source repository should be allowed to be deleted, and a username to not be reused. I think it's a huge mistake -- and I never have -- to use a repo as a dependency. Grab sources from a repo and if the head goes away stay with what you have. I have nuget packages that can't and should never be deleted.

That's why we have SSH and PGP keys on GitHub

[kriston]

That's why we have SSH and PGP keys on GitHub.

isn't this what signed tags are for?

[platinummyr]

You sign a tag so that it's verifiable that no one else could have possibly created the tag, so if a malicious user gets your account name but not your private key, they can't create new tags.

Yes, because...

[c_g_hills]

User accounts are not something unique to GitHub, and I would expect any service that lets you pick usernames to allow reuse, otherwise eventually you are left with random letters and numbers as users move on.

12 best practices for user account, authorization and password management
https://cloudplatform.googlebl... [googleblog.com]