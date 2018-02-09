Should GitHub Allow Username Reuse? (donatstudios.com) 38
Jesse Donat argues via Donut Studios why GitHub should never allow usernames to be valid again once they are deleted. He provides an example of a user who deleted his GitHub account and personal domain with a popular tool used for embedding data files into Go binaries. "While this is within his rights to do, this broke a dependency many people had within their projects," Donat writes. "To fix this, some users of the project recreated the account and the repository based on a fork of the project." Donat goes on to write: Allowing username reuse completely breaks any trust that what I pull is what it claims to be. What if this user had been malicious? It may have taken a while before someone actually noticed this wasn't the original user and the code was doing something more than it claimed to.
While Go's "go get" functionality is no doubt naive and just pulls the head of a repository, this is not exclusively Go's problem as this affects any package manager that runs on tags. Simply tag malicious changes beyond the current release and it would be deployed to many users likely with little actual review.
While Go's "go get" functionality is no doubt naive and just pulls the head of a repository, this is not exclusively Go's problem as this affects any package manager that runs on tags. Simply tag malicious changes beyond the current release and it would be deployed to many users likely with little actual review.
better question: should github allow morons (Score:1, Insightful)
Re: (Score:1)
Re: (Score:2)
And how exactly would GitHub go about implementing a system that categorically excludes "morons"?
One question: "Do you believe your contributions to this website are (a)bigly or (b)cromulent?"
If a user chooses (a) or (b), all the evidence points to moron.
Re: (Score:2)
No. (Score:2)
Irrelevant (Score:4, Insightful)
A URL is not tied to an identity. The only way to verify who wrote the code is to use digital signatures.
Re: (Score:2)
How would the public key for each author be verified? TOFU? International travel to code signing parties?
Problem with package manager, not repository (Score:4, Interesting)
The package manager and dependency programmer should check either the hash or another cryptographic property of the code to authenticate the code.
This is the same as someone re-registering an expired domain or simply poisoning the repository or even hacking the dns in your router. Unless you can check you have an authentic package, signed by a known author, you're purely depending on the goodwill of the Internet.
I would think this is kind of mandatory but I guess Go/JavaScript developers don't need to think about security, the language/platform is secure.
Don*a*t Studios (Score:1)
Re: (Score:1)
I bet everyone calls you donut
Re: (Score:1)
Public keys? Signing? (Score:1)
I'm not sure why there isn't a PKI system for this like with ssh or other open source projects. Once you've established the trust it would then warn you if it was signed with a different key. It's shocking that this most basic warning system doesn't exist.
Re: Public keys? Signing? (Score:2)
It does. Check apt or yum for example. This is about code thrown together in Go and similar problems exist in lots of JavaScript code managers, I'm sure those languages are so secure they don't need to be checked.
Establishing trust on fresh machine (Score:2)
Establishing the trust is another big issue, especially when bringing up a particular environment for the first time on a given machine. How many people make a point of verifying the server key fingerprint the first time they connect to a particular SSH server?
Non issue (Score:1)
This doesn't solve anything. Just like various browser extensions for Chrome or whole Android Apps are sold and then made into adware or worse. There the whole account is basically bought, and the same can be done in github. If people continue to misuse github as a package repository, it will happen sooner or later.
append (Score:2)
Otherwise, as time goes on, won't we start to run out of names if you can never reuse them?
How do we deal with this problem for actual human beings who have similar names?
Why should access based on username at all? (Score:3)
A username should serve only as a human-readable identifier, it should not serve as an identifier that is used by itself for any security purposes at all. If a person changes their username, their previous name should be available for reuse, just as a disconnected phone number is, but in the case of usernames, you could still readily tell the previous user from the current one because the unique identifier could be checked.
If a person doesn't think to check the unique ID, then that's their own bloody fault... about on par with a person not checking that a cashier has handed them back the right amount of change and not noticing any discrepancy until they got home.
if this is a common problem for you... (Score:2)
Yes, because you should be checking GPG sigs (Score:2)