You can resurrect any deleted GitHub account name. And this is why we have trust issues

Lax policies, coder laziness don't mix well

By Thomas Claburn in San Francisco


Analysis The sudden departure of a developer from GitHub, along with the Go code packages he maintained, has underscored a potential security issue with the way some developers rely on code distributed through the community site.

The individual identifying himself as Jim Teeuwen, who maintained GitHub repository for a tool called go-bindata for embedded data in Go binaries, recently deleted his GitHub account, taking with it a resource that other Go developers had included in their projects.

The incident echoes the more widely noted 2016 disappearance of around 250 modules maintained by developer Azer Koçulu from the NPM repository. The deletion of one of these modules, left-pad, broke thousands of Node.js packages that incorporated it and prompted NPM to take the unprecedented step of restoring or "un-un-publishing" the code.

Earlier this week, an unidentified developer, whose Go project stopped functioning as a result of the closure of the jteeuwen account, opened a new GitHub account under the abandoned name and repopulated it with a forked version of the go-bindata package as a workaround to re-enable the broken project.

In a post on that account, Franklin Yu, a Boston-area software engineer in the US, said he was a friend of the person who recreated the account and explained that the repo had been resurrected to fix a private project.

"The current owner had no way to directly redirect the repo, so he made such work-around so that he could safely go home without being blamed by his supervisor," he explained. "And of course, hoped this would also save someone else trapped in similar situation."

Yu did not immediately respond to a request for comment.


The reappearance of the account, however, has prompted confusion and complaints.

"The fact that they were allowed to do this however represents a fundamental flaw in GitHub's security model," said developer Jesse Donat in a blog post. "Usernames, once deleted, should never be allowed to be valid again. Many sites including Google do it this way."

Twitter does not, which has allowed various people to reactivate account names abandoned by the US government.

The security implications of allowing reuse of abandoned names are particularly evident in the domain industry, where expired domains regularly get re-registered by spammers hoping to benefit from whatever trust and traffic the previous owner had accrued.

Developers themselves bear some measure of responsibility for relying on code they can't control and can't verify.

But Donat, in a phone interview with The Register, suggested that's not realistic. "You could argue it's all down to the developer," he said. "But the fact of the matter is this is how GitHub is now being used, as a package repository, whether it's meant to be or not."

Donat argued that GitHub should address the issue, noting that it would not be difficult to revive an abandoned account name and use it to distribute malware.

Certainly, companies can do more to save people from themselves and to bridge gaps created when those who supply resources to the community retreat from online life by choice or incapacitation.

Although GitHub does have a mechanism that can make it easier for the code community when developers walk away from the site – archived repositories – it could also prevent account names from being reused.

The Register asked GitHub to comment but the company declined. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

We asked, you answered: The truth about software reliability

Research results It's not just about quality

Cisco snaps up Brit networking software bods Ensoft

From main customer to owner

Veracode Software gobbled by private equity house Thoma Bravo for $950m

Home of McAfee and SonicWall slurps app security testing biz from Broadcom

VMware bods – you back at work yet? Guess who's just poked their head into the software-defined data centre...

Data protector Acronis luring customers with virty storage Swiss roll

Red Hat sticks its storage software cap on Supermicro hardware

Software-defined storage meets single SKU-ery

HCL picks up Notes, spanks total of $1.8bn at Honest John's IBM software sale

Don't worry, Red Hat. We're sure Big Blue will love you more than it did Lotus

IBM's Red Hat gobble: Storage will be a test of Big Blue's commitment to open-source software

Comment Bringing home the bacon

Intel's Software Guard caught asleep at its post: Patch out now for SGX give-me-admin hole

Chipzilla adds to Windows IT admins security update load

They say software will eat the world. Here are some software bugs that took a stab at it

Analysis Well, you know what we mean. Variable quality comes with increasing quantity

The quickening: Qumulo speed with software boost for new kit

I was born in 1518... we mean.. machine learning-driven caching speedup