I asked GitHub if they could change my username to one that was already taken. As long as the account does not have repos of their own and was deemed sufficiently inactive they can take it.
The support staff approved my request, but I have friends who’ve gotten declined.
I've actually had a (great) username completely blackholed by github. I'm still a bit salty about it.
I had received an email several years ago informing me that it was going to be removed. They gave me the equivalent to a coupon for a free year of the github personal plan as compensation.
To this day it'll tell you that the username is "unavailable" if you try to sign up with it, and the page just 404s.
As charcircuit figured out, the username is/was `malware`. They deactivated it in 2018 without any explanation, and even my contacts at Github at the time couldn't quite figure out why it was happening.
My only thought was that it was during the MSFT acquisition due diligence, and my username was an unfortunate victim of whatever compliance requirements they had to satisfy.
Honestly the url does not look good. I can see why they wouldn't want it showing up in logs or across the internet. Maybe it was getting hit by virus scanners or other Internet filtering as well.
> I created my account two years ago in anticipation of being able to open-source more code and I wanted to reserve my name; I had a couple of forked repos but that's it.
Same experience for me. 3 years ago I was able to claim an inactive username (the actual process was that you filed a complaint about an inactive user, they renamed the account, then said "it's available now, good luck you better be quick", so it was not an official transfer process).
Tried again about 12 months ago for a different username/org and was told this is no longer possible.
Yeah, sounds like GitHub doesn't let people squat usernames.
The author says GitHub can 'modify his repos at will', but earlier he says he doesn't even have any repos besides a few forks (which were likely not modified)
The problem was that this process was handled very poorly by their support team years ago. No notification or any kind of communication with the original owner. What seemed to you inactive could have been still an active user. This happened to me. It seems that after the Microsoft acquisition things may have improved and they don’t enforce the name squatting policy as easily as before.
That happened to me too, I was able to secure our organization's name that way. There was someone squatting on it, and it could have caused potential problems if they started uploading code. From what I recall about the process, it was pretty straightforward - I sent an email and just a few minutes later, I had the username linked to me.
Same here, not sure if they still list it but GitHub had a name-squatting policy on their site, and after referencing that in an email to support, requesting a username of someone who only had a handful of repos about 8 years ago, they released the username to the public so I could switch to it.
I did this (request an inactive name) for a username many years ago, which led to people scraping my personal email from commits, and using information I used in my readme to contact me and ask for it. “It’s my real name” and other stories.
I almost gave it away the first time, but the person wouldn’t provide proof of it being their name. Future requests made me realize it was just a coveted username
I mean, fair play. If you squat on a username and don't do anything with it for years, having it yoinked seems reasonable. It's not like you paid for it.
It feels a little different if — as it seems to be the case — the GitHub account is used as a static site generator. Heck, the guy could've been depending upon CNAMEing to `rbishop.github.io`.
There are individuals that pay ~$4/month for GitHub Teams, plus other services (Copilot, CI, LFS, Packages, etc). They may not have public repos, but that shouldn't matter.
I doubt GitHub is going to close the account of an actively paying user. Rather, the fact that they are paying for it constitutes proof that the account is actively owned.
There is no cloud, dude. It is someone else's computer.
Deeply buried somewhere it is written they can do anything with your stuff that resides on their computers.
Or simply they can do it, then it'll up to you to sue them.
If old guy has (or creates without noticing the name change) a (possibly private!) repo called 'test', and then new user creates one with the same name, when old guy pushes...
I assume they think their checking for emptiness and inactivity covers these cases to some reasonable likelihood.
Well, or was it? Unclear to me why they did that in TFA - if they just changed the name, keeping same SSH key on that one (now under a new name) would be fine, helpful even. We don't know if it was changed/removed on the old name (just assume/hope so).
The post opens with the author describing how his key wouldn't work. But moreover, his account was renamed. Git has no knowledge of usernames. If the old key was kept on the account that was renamed, it wouldn't have given anyone access to anything new.
I didn't say git did anything with GitHub usernames.
Yes it would, OP would hypothetically push to old user/org not realising their namespace had changed, but the key would check out, and potentially what was private would now be public.
But anyway, it was a hypothetical, and relatively unlikely, since for real damage (what should be private being public) you'd need to know or be misfortunate/lucky in happening to use exactly the right (or wrong) repo name anyway. And as I said hopefully/I assume they do wipe remove the key anyway.
Lots of discussion on the name changing portion of this, but I’m more perplexed by the github dev / support adding an SSH key to the account. Obviously they have that kind of access to the data / accounts hosted in their infra, but I don’t really understand why that would have been necessary or why they didn’t remove the key afterwards.
Happened to me also. I had registered my username in the first year Github started. Around 10 years later i discovered that someone else assumed my username through reaching out to their support. I was using Github still actively but hadn’t committed for quite some time in public. I was very pissed when i discovered. Support refused to change my name back instead giving me a coupon i never asked for. Whoever thought at Github this to be a good idea didn’t think through. It’s like the most retarded solution to a problem every social platform faces i’ve seen so far in how it is checked through.
I can't find a followup, but it seems like "rbishop-xx" is still there, "rbishop" still owned by someone else, and Russ Bishop has moved on to the user "russbishop".
this happened to me as well. I had repos, I was even approved members of several large scale open source projects. Just did not have to do anything related to GitHub for a few years. Turns out they renamed me and gave my name to someone else upon request. My links to various repos in my github scattered around the internet (with the old username) still works (so I assume, the new owner can't create repos with the same names). Don't know why GitHub goes through all those hoops to allow this to be honest (yes I'm salty). Like if it was just a registration and empty account that is understandable but they renamed an account full of repos and memberships and their infrastructure supports keeping old links active etc. Just weird.
Is it though? For one thing it doesn't stop squatting, since all an actual squatter has to do is create a repo with some legit looking code. All this does is inconvenience people like the author who have legitimate reasons for not having uploaded anything yet.
Does the author have a legitimate reason for having not uploaded anything? I don't see how they're different than any other name squatter, they wanted to reserve the name while not using it. Another person who goes by rbishop wanted to actually use name. From the latter rbishop's perspective, Russ was name squatting his username.
Doing a bit of snooping, this post was March 2014, his first interaction on Github was February 2015. So he still didn't do anything on Github for 11 months after the name change.
> Does the author have a legitimate reason for having not uploaded anything?
Sure, he mentioned it. He reserved the name in preparation for open sourcing some projects, but medical and personal issues delayed that happening for a while.
Use it or lose it is a good base policy. Just because it isn’t perfect does not change that.
Two years(!) is a long time to be sitting idly on a name and is squatting regardless of intent or circumstance.
It seems like GH admins are capable of looking at a user and making a judgement call (no repos, no activity, no SSH keys, and a few forks) to determine that the username is being squatted. And based on the article, the author was just name squatting. I don't think there's a distinction between "legitimate" or not - use it or lose it.
How would this affect you if you are using Github as a OAuth provider? Does Github mention under what conditions they are going to take away someone's username? No code? No OAuth? No activity?
Most corps are looking at GH EMU, which means you bring the username/email address, and that a public GH username is not possible. This also prevents the creation of public repositories.
I wonder if they've ever used, or wanted to use, a path or org themselves (like actions, say) that was taken by some external user.
Seems a good idea to put user generated content somewhere else, like example.com/users/OJFord instead of top-level say, and then if you decouple handle from displayed name people don't care to claim they're clean name as in OP so much either. But of course for the URL, you have to think of that in your early days - GitHub can't break all those links now!
Without any context or followup, this seems like old news that doesn't need to be rehashed on the front page today. This event pre-dates the Microsoft purchase of Github.
Also considering that since the acquisition, they won't do anything to dissuade name-squatting anymore, despite their terms of service still suggesting otherwise
That is troubling. Does this mean Github staff can basically take over any private account without contacting the owners? Can regular staff access private repos? Could they quietly manipulate my own repos by changing my ssh key and pushing commits? Sky's the limit in terms of the negative impact that could have. Does SSO with Github depend on the username? Would a renamed account be able to access services where I used "Sign in with Github"?
(I don't work at Github, these are inferences from working on other cloud services)
> Does this mean Github staff can basically take over any private account without contacting the owners?
That's an incredibly common feature to have on the admin side. Three of the four companies I've worked at have had some form of "log in as this user" button, with general guidance to not do anything dumb. The fourth had good reasons for not supporting that, but it made debugging anything happening in production incredibly annoying.
> Could they quietly manipulate my own repos by changing my ssh key and pushing commits?
They _literally own the servers_. They don't need your ssh key. Likely not _everyone_ has direct filesystem access, but at least a few people do.
By hosting anything on a cloud service, you are trusting the people running that service. If you don't trust them, don't do that.
If you want your own username, don't use someone else computer. Self-host github/gitlab/gitea/whatev, and use your favorite username, without the fear of losing it.
That assumes that all third party sites use the user ID, not the username. From my understanding, the way "login with Github" works is by the app getting an OAuth token, then querying a "give me the currently logged in user" API using that token, which then returns an object identical to https://api.github.com/users/rbishop
If the client keys on "login" rather than "id" (this GitHub tutorial, for example, only mentions the former, not the latter: https://docs.github.com/en/apps/creating-github-apps/writing...) and then stores "github user rbishop can access account 123456 on our system", the new owner of the account name would likely be able to hijack the previous owner's 3rd party accounts.
Not github, but I signed up for a service with the username 'duplicate_user_id'. It seems someone there didn't find that as amusing as I did, locked the account, and refused service.
I can only guess they thought it was setup for some sort of scam, but I can't imagine what.
This seems... deeply idiotic on GitHub's part. Consider the following scenario:
1. A script/CI/etc is pulling the latest releases from the repository.
2. Ownership of the account is changed.
3. The new owner controls the contents of the repository, and can perform a supply chain attack.
I'm not sure GitHub would be liable there, but personally I wouldn't want to find out the hard way.
I asked GitHub if they could change my username to one that was already taken. As long as the account does not have repos of their own and was deemed sufficiently inactive they can take it.
The support staff approved my request, but I have friends who’ve gotten declined.