Just learned that #GitHub makes account names available 90 days after the account is deleted.
Reclaiming usernames makes it possible to squat a trusted identity that may have hosted projects in widespread use...
...and git pull will just pull from the same URL under the new account holder's control.
I wouldn't be surprised if MS changed their terms and declared these accounts inactive or otherwise in breach so they can delete them. Or they may not care *shrug*
Reminds me of when we left a certain IRC network not so long ago.
Don't delete the repository; just push an empty one onto it (other than a README pointing to the new location).
`git push -f `, BTW.
@nn Many software projects I use have periods of activity and dormancy sometimes spanning multiple months, years or even occasionally decades. Some things are well designed (or really lucky) and only need infrequent updatates.
Account name squatting seems just as plausible as typo squatting, which has revealed realworld threats in recent years.
@vagrantc If MS cared the solution is easy: don't expire account names till 90 days after the last 404 on that account name.
But 90 days is arbitrary, what if someone starts using it again on day 91? 180? 540?
Fundamentally the same problem.
@vagrantc someone will. But it wont be the thousands it would have been on 90 days after account deletion.
The attacks we are worried about here tend to be stochastic right, it's not going to work on everyone. So the chances of it working against the few who still fetch that repo will be low. Once the chances are low enough it's not an attack worth doing.
All security is about evaluating risks against other benefits.
There is no specific value, it is a security trade-off, the longer the better... 90 days gives some benefit, more days gives more benefit, waiting till the last attempted access to disappeared public repositories after N days gives stronger benefit, never reclaiming account names gives maximal security benefit... for this sort of account replacement/squatting/stealing attack.
For people who care about, support, or build Free, Libre, and Open Source Software (FLOSS).