GitHub Shouldn't Allow Username Reuse

Update 2018-04-19 - Github has implemented some rules around retiring "namespaces".

To prevent developers from pulling down potentially unsafe packages, we now retire the namespace of any open source project that had more than 100 clones in the week leading up to the owner’s account being renamed or deleted.

This is a decent half step but I'd still love to see either permalinks or every namespace of a user permanently retired once their account is deleted.

Update 2018-02-10 In discussing this with people online, I’ve come to the conclusion that the bigger, more important issue is lack of permalinks to repository instances. Path reuse, rather than username reuse.

There is a very popular tool for embedding data files into your Go binaries called go-bindata . Several days ago however the user who ran it, "Jim Teeuwen" (wayback machine), completely disappeared from the internet – deleting his Github account and personal domain in the process.

While this is within his rights to do, this broke a dependency many people had within their projects.

To fix this, some users of the project recreated the account and the repository based on a fork of the project.

They have an official announcement/disclosure here:

https://github.com/jteeuwen/go-bindata/issues/5

At the very least they are being honest about it.

The fact that they were allowed to do this however represents a fundamental flaw in Github's security model.

Usernames, once deleted, should never be allowed to be valid again. Many sites including Google do it this way.

Allowing username reuse completely breaks any trust that what I pull is what it claims to be.

What if this user had been malicious? It may have taken a while before someone actually noticed this wasn't the original user and the code was doing something more than it claimed to.

While Go's go get functionality is no doubt naive and just pulls the head of a repository, this is not exclusively Go's problem as this affects any package manager that runs on tags. Simply tag malicious changes beyond the current release and it would be deployed to many users likely with little actual review.

This should not be possible. This is scary and should be fixed.

Update

Many people are arguing that this is the developers fault or the package managers fault. I do not agree, but as far as I see it that doesn't matter anyway. The simple fact of the matter is that it is being used like that, like it or not, and the simplest and I argue most correct fix is for Github to prevent the issue.

I think another good option would be Github offering permalinks to repos, such that if they were deleted and recreated the pathing would change.

It affects not only package managers and programs and software, but humans. Humans navigating Github. I have no way to tell while navigating the site if a project is the original or a charade. That is a problem.

As for the title change, I agreed with Hacker News that the original was a bit hyperbolic. I have a tendency to resort to hyperbole to get my emotional point across - and it doesn't always read correctly on the internet.