Gitlab deletes then opens account to others without warning

34 points by threatofrain ↗ HN
.

24 comments

[ 2.6 ms ] story [ 61.0 ms ] thread
I feel like we're missing part of the story here. Are we?
I'm a low volume and boring user. I also have <no> messaging from GitLab, so there isn't much to say.

Also, what kind of poor user behavior on my part means opening up my account for registration? Let's say that Rush Limbaugh is kicked off of Twitter for bad behavior — should I be able to claim his account?

And shouldn't the hypothetical Twitter user get an email warning them that their account is about to be opened up for public registration? I only tried to register under my own account to test whether my account had been disabled.

This is about Gitlab's dormant policy which is similar to Github's name squatting policy.

Only happens to long inactive accounts and both platforms will not notify the owner since it's about name squatting. They just rename the handle and you still have your account.

Why anyone should be concerned if his account has been inactive for a long time?

Yes. I am sure there are many, but here's one stupid reason:

  pip install git+https://gitlab.com/me/lib
(comment deleted)
That's crazy! Moved to Gitlab for some projects because of Github horror stories, and now this? The only "safe" way to do anything is to self host everything, it seems.
I'm from GitLab support. We do have a dormant namespace release policy which your account may have been eligible under:

https://about.gitlab.com/support/#dormant-namespace-requests

If your account was released under this policy, it's likely your username was renamed to <username>_idle, as documented here:

https://about.gitlab.com/handbook/support/workflows/dormant_...

I don't know what happened with your account specifically as you haven't mentioned your username. You can always drop us a support request regarding your account here:

https://support.gitlab.com/hc/en-us

(comment deleted)
Isn't this a considerable security issue?
Woah, the title of this post was changed to "." as was the description. It used to describe how the persons username was taken by GitLab without any emails. GitLab also went through YCombinator, hmm.
That seems...odd
I'm talking to support and I want to give that a chance to work.
The submitter edited it. YC wasn't involved.
(comment deleted)
This is a pathetic policy, Gitlab. For this reason alone, I'll stick to GitHub.

What if I'm hospitalized or away on an extended trip? You just going to let someone else take my account username?

No thanks.

I wouldn't worry about that, we have clear conditions that need to be met before we release a username [1]. It's meant to prevent name-squatting, not take usernames away from actual users. Although I do want to point out that GitHub also has this [2], it's just worded differently and doesn't outline what they consider "inactive".

[1] https://about.gitlab.com/support/#dormant-namespace-requests

[2] https://docs.github.com/en/github/site-policy/github-usernam...

What's an "active project"? OP says they discovered that their account had been renamed by having their workflow break. What kind of activity was OP regularly engaging in that depended on OP's account existing with the original name but did not flag OP's account as active?
The historical nature of or convention on the web has been first come first served on names. Most well designed systems will never change a username due to inactivity or for any reason other than the owner requesting it (even that’s not allowed on most systems). Usernames that aren’t actively used, after a known period of inactivity, may be deleted along with content associated with that username.

Look at email addresses: platforms like Gmail and Yahoo will delete your account for inactivity with adequate advance warning, but they will not release your email address for someone else to claim in the future (on the other hand, paid platforms like Fastmail and Posteo will allow your deleted addresses on their domains to be grabbed by anyone).

With GitLab’s policy of renaming inactive accounts without any warning or notice, any links that someone has shared could later point to a different person. A “404 Not Found” error or an “email address does not exist” error is far better, IMO, than redirecting someone to a totally different person.

If an inactive username is to be released back for use by someone else, there should be a significant duration from the time the username is disabled to the time when it’s available for someone else.

Looks like someone broke the URL and description. Is this being buried?