You can resurrect any deleted GitHub account name. And this is why we have trust issues

Lax policies, coder laziness don't mix well

Jack Gyllenhaal in Enemy

Analysis The sudden departure of a developer from GitHub, along with the Go code packages he maintained, has underscored a potential security issue with the way some developers rely on code distributed through the community site.

The individual identifying himself as Jim Teeuwen, who maintained GitHub repository for a tool called go-bindata for embedded data in Go binaries, recently deleted his GitHub account, taking with it a resource that other Go developers had included in their projects.

The incident echoes the more widely noted 2016 disappearance of around 250 modules maintained by developer Azer Koçulu from the NPM repository. The deletion of one of these modules, left-pad, broke thousands of Node.js packages that incorporated it and prompted NPM to take the unprecedented step of restoring or "un-un-publishing" the code.

Earlier this week, an unidentified developer, whose Go project stopped functioning as a result of the closure of the jteeuwen account, opened a new GitHub account under the abandoned name and repopulated it with a forked version of the go-bindata package as a workaround to re-enable the broken project.

In a post on that account, Franklin Yu, a Boston-area software engineer in the US, said he was a friend of the person who recreated the account and explained that the repo had been resurrected to fix a private project.

"The current owner had no way to directly redirect the repo, so he made such work-around so that he could safely go home without being blamed by his supervisor," he explained. "And of course, hoped this would also save someone else trapped in similar situation."

Yu did not immediately respond to a request for comment.

Confusion

The reappearance of the account, however, has prompted confusion and complaints.

"The fact that they were allowed to do this however represents a fundamental flaw in GitHub's security model," said developer Jesse Donat in a blog post. "Usernames, once deleted, should never be allowed to be valid again. Many sites including Google do it this way."

Twitter does not, which has allowed various people to reactivate account names abandoned by the US government.

The security implications of allowing reuse of abandoned names are particularly evident in the domain industry, where expired domains regularly get re-registered by spammers hoping to benefit from whatever trust and traffic the previous owner had accrued.

Developers themselves bear some measure of responsibility for relying on code they can't control and can't verify.

But Donat, in a phone interview with The Register, suggested that's not realistic. "You could argue it's all down to the developer," he said. "But the fact of the matter is this is how GitHub is now being used, as a package repository, whether it's meant to be or not."

Donat argued that GitHub should address the issue, noting that it would not be difficult to revive an abandoned account name and use it to distribute malware.

Certainly, companies can do more to save people from themselves and to bridge gaps created when those who supply resources to the community retreat from online life by choice or incapacitation.

Although GitHub does have a mechanism that can make it easier for the code community when developers walk away from the site – archived repositories – it could also prevent account names from being reused.

The Register asked GitHub to comment but the company declined. ®




Biting the hand that feeds IT © 1998–2018