Ask HN: My GitHub account got suspended without any notice
I'm a Full Stack Developer from India. I'm a maintainer at Gatsby, Open Sauced and Triager at ExpressJS, Nest.land, JSHttp etc. I use GitHub a lot, but recently my account got suspended midnight without any notice, From my knowledge I haven't spammed GitHub, I review 3 - 6 PRs in Gatsby per day, It's been a week without GitHub, I have three sponsors in GitHub, they are asking me tons of questions and one of my sponsor stopped sponsoring me (my payout balance got reduced). All of my office work got stopped, I'm the admin of the org that is used in our company. All employees now don't have access to the repo because it is returning 404. I got support from lot of people in Twitter but GitHub is not responding to my ticket for a week. I also created a petition is change.org https://www.change.org/p/github-inc-my-github-account-suspen... some people supported me over there too. It would be great if GitHub unsuspends me.
My support ticket number: 763327
GitHub Profile: https://github.com/yg
Save Open source developers!
Hope Nat Friedman and GitHub will see this!
278 comments
[ 3.8 ms ] story [ 277 ms ] threadWhich is your latest commit in https://github.com/gatsbyjs/gatsby/commits/master ? (Is this the correct project?)
I mostly review PRs in Gatsby, I don't remember what is the last commit!
It has five authors (one is a bot). The fourth one is the OP but the picture does not have a link to the profile because it is suspended.
I'm not talking just for sources and repos. About servers too.
Please explain where is "lot of effort and downtime"?
One is an unknown and the other is an counterpoint to this.
It's due to paying github and getting highly technical support. The tooling is also superior for our purposes.
I am not saying that everyone needs to pay github. There is a good chance, however, that there was a reason this person's account was suspended. If this was due to a mistake, a straightforward contact letter would have more results than starting an internet petition.
If we as a community truly care about OSS and the people behind it, this kind of error cannot be tolerated. It flies in the face of everything that the open source community stands for.
The problem with Github is that everyone uses it, and services like Gitlab still don't have the same level of activity in the open source community. Well over 95% of source code links posted here on HN, for example, are Github links.
Thanks!
How do you know this was due to corporate incompetence?
https://cointelegraph.com/news/interview_yurii_rashkovskii_t...
I would love to see something like this succeed for all manner of infrastructure... from domains and DNS, to email, to version control.
To anyone reading from GitHub, this is making me rethink my choice of GitHub as a platform, and I'm sure the same is true for other people reading this post. Your reputation is very much at stake.
To anyone reading this from Gitlab, how easy is it to migrate CI/CD off of GitHub Actions to Gitlab?
In other words are we just assuming Digital Ocean/Hetzner or wherever one 'self-hosts' is less likely to auto ban you for no reason? I would say yes, but I hope others are atleast considering this aspect when comparing this moving to Gitlab or whatever
Time and time again we see large companies from all markets only respond when public interest is triggered and more than just the individual user starts to question the actions of the company
This is the sad reality we are in, if you tie your work, your income, etc to a large corporation you likely will be screwed at some point unless you can cause a public backlash.
Which is not something unheard of when dealing with large companies.
If true,that they did not respond, that would be much more worrisome to me than whatever the reason for the ban might have been.
That was the time to start sharing “your side”.
Long story short: don't give your time and money to evil corporations.
I meant, nothing to do with Github's acquisition by Microsoft.
I don't know what the precise cause of this bad support is, but I would wager that an acquisition by Microsoft will shift GitHub's priorities away from Support and towards Enterprise Sales.
I'm sure they're pedalling Azure, but other than that Github is still very much independent.
Gitea/Gitlab are crazy easy to set-up nowadays, especially with a fully working CI/CD setup (I use Gitea+Drone and I love it, Gitlab comes with its own)
Especially if you registered under a pseudonym, as then you can't prove legal ownership of the domain either. But even if you register under your real name, you may need a court case to compel transfer if the old registrar won't cooperate.
A sensible policy is to look at the risks you can do something about, try to assess how likely each threat is and what damage it would cause if it actually happened, and then make your plans taking into account how much you want to control those risks and what it costs you to do so.
On this scale, something like the total collapse of law and order or the failure of the core infrastructure of the modern Internet and its governance processes is obviously less likely than one commercial service provider pulling the plug on unspecified or unreasonable grounds.
We're not going to change the DNS registrar system overnight. But by drawing attention to the issue, we might, eventually, make it a bit more robust with regards to things like registrars becoming unresponsive to small players, or losing data.
For example if people could register with two or three independent registrars in order to have robust control and ownership in the event any one registrar fails them, that might help as a technical solution for robustness. No doubt there are other non-technical things that may help as well.
Separate from changing DNS, I think it's sensible to recognise that risks with cloud hosting or using SaaS, as happened to OP with their GitHub account, also exist with DNS, so for anyone who would find that a problem, they should evaluate whether relying on a single domain, or even on DNS itself, is the right thing to do. For example, high-value IoT devices in the field that can't be updated easily might look for their server at more than one DNS name, and specifically on separate domains (not subdomains) held by distinct registrars, and validate the server's identity. Or they might keep track of IP addresses that have worked recently (in addition to DNS) and fall back to those. (I have worked on devices where this was helpful because DNS on some deployed sites turned out to be unreliable.)
The culture and economics behind a lot of tech SAASes that we talk about here all the time make them inherently vulnerable to discarding or abusing users, even those who have been with them a long time and maybe paid them quite a lot of money, in the name of the almighty growth curve. The incentives there are not necessarily aligned with supporting even long-standing and loyal users.
In contrast, there is little to gain for a DNS provider to screw a paying customer or get embroiled in some tedious arguments about rights to some domain name. They can't entirely avoid that because of the environment they operate in, but they are generally going to make the most money when they have lots of happy customers who can briefly engage with the provider's almost entirely automated systems and pay some registration fees for the privilege through another almost entirely automated system and then everyone can get on with their day happy with the trade.
[1] https://fossil-scm.org/home/doc/trunk/www/index.wiki
Of course it could also be in a database thingy for querying and stuff.
Some people say it is because Github wants to lock you in. I don't really believe that, but I am equally sure they don't mind if you lock yourself in.
Yeah, but it's much, much, much less likely than some script at GitHub getting triggered and shutting your account down. And even the cheap hosting providers do have ultra-premium-platinum-support compared to Google, GitHub, Amazon etc.
It is an odd thing to think that GoDaddy may have more merit as a solution than Github for hosting code...
Switching domain registrar and re-routing DNS is a simple and cheap thing if it ever becomes necessary.
If you self-host your repository, you don't have a hosting provider. There is no-one to "pull the plug" on the server at my business's office except the people who work in the building who could literally pull the plug, and I suppose the electricity and phone companies and our ISP.
What you are talking about isn't self-hosting, it's hosting in the cloud on VMs you're renting directly. This is an intermediate step between self-hosting and using a fully hosted service like GitHub.
With cloud-hosting, you are probably still subject to the whims of your hosting service. For example, you might be subject to occasional forced restarts of a long-lived instance if your hosting service needs to restart or replace the underlying physical server.
However, in most cases, unless you're doing something illegal using their equipment or compromising their system in some way, these hosting services don't much care what you're running on your virtual box. This option is still far less risky than using a fully-hosted service, not least because you retain full control over the underlying data so there is almost nothing that can happen because of your hosting provider that a reasonable backup strategy can't fix within a relatively short amount of time.
1. Always have independent and automatic data backup. A storage medium attached to a raspberry pi is plenty enough
2. Always choose a setup that you can deploy and migrate trivially
It wouldn't matter what the hosting provider does if you have the power to pack up your bags and move elsewhere when they misbehave.
That way you can use 3rd party integrations, and be part of the Github ecosystem 99% of the time, but when they do something like this, you have an emergency place to work from?
2. It is a free product. Would you spend 7 million a year supporting a free product?
3. 99% of complaints would be of the nature "GitHub is broken. HELP!" and really be some person who did not set the origin before pushing.
I for one pay for GitHub. I've never had a ticket that wasn't answered in under a day, but I'd be almightily annoyed with them if I submitted a ticked like this and didn't have a response within hours.
That is roughly the fully-loaded cost to employ a senior software developer in much of the world. A decent but first-line tech support agent would cost a fraction of that amount almost anywhere outside the US.
2. It is a free product. Would you spend 7 million a year supporting a free product?
Presumably for the same reasons you spent far more than that to buy and continue to operate the service at all.
3. 99% of complaints would be of the nature "GitHub is broken. HELP!" and really be some person who did not set the origin before pushing.
Then 99% of the complaints will be dealt with quickly using standard replies and references to FAQs. These aren't going to be the ones attracting hundreds of comments and presumably thousands more readers on prominent online forums for software developers.
Basically the same deal as "educational licenses" for expensive software suites. It isn't a freebie at all; it's an investment into future customer acquisition through lock-in. That's how you're paying for it.
It's unclear if the poster had a paid for account.
No, front-line support staff might scale that way, but organizational costs scale superlinearly with the size of the bottom of the pyramid, so even if it did, total cost would be super linear with userbase.
The notion that customer support, just like security, is just a sunken cost needs to stop.
Lambs to the slaughter. Did you really believe that Microsoft suddenly did a 180 and that all the people that thought EEE and hamstringing Linux through proxy lawsuits and outright lies were just fine have left the company?
It seems that I may be wrong.
He should do as he is told by MS.
This is really obvious from the parts that they choose not to open-source, such as https://github.com/MicrosoftDocs/intellicode/issues/201
https://notabug.org
https://codeberg.org
Putting all my eggs in GitHub's basket is evidently too much risk for me to bear.
But if GitHub bans you, good luck with that. They're not just deleting your data; they are removing you from your own community, because they control its environment.
Edit: And the domain name system, unlike services like GitHub, actually has processes and mechanisms in place for recovering access and filing disputes.
You should reconsider it no matter what; you're putting your business in someone else's hands and relying on their goodwill not to completely fuck you over.
Using Github can be a tolerable risk when your company has hundreds of more-likely reasons to fail in the next month and needs every little bit of saved time it can get. But once the business has it's feet under itself, the github contract of adhesion is a pretty stupid risk to take.
When you pay a professional for a service, you should be able to expect that the service is provided.
And if you can't handle your business relying on contractually and legally defined interconnections with other entities then you really shouldn't be running a business.
However this is just vendor management. You have to balance risk and productivity, and it's even more important now with how many different services a typical business uses.
Most people are better off using third-party services with proper support contracts rather than trying to plan for an edge case while ignoring all the other new challenges it brings to do it all yourself.
Going back to the OP's post, if you leave a vendor for a single 1-sided account of a negative experience, you'll never deal with another company again.
The safe default seems to me to believe these stories at face value unless evidence to the contrary has been provided.
Regardless I don't see what the issue is in waiting for the full story.
I don't think we have enough information to definitively prove that his email address is still accurate on the account. If the account was taken over by a malicious user (hopefully not because they claim MFA was enabled), then the new user's email address may be the one that was notified.
I guess abuse-related tickets can’t be handled by the usual responsive team(s).
We have example templates for most common languages and frameworks: https://docs.gitlab.com/ee/ci/examples/.
You can read here for all the supported ways you can create pipelines and define the CI jobs: https://docs.gitlab.com/ee/ci/yaml/
A TL;DR is that all you need is a base docker image and a list of commands to run. Jobs will run in parallel for each stage, or you can define dependency between then, so they run as an independent DAG.
(You can easily import all your projects with a few clicks: https://docs.gitlab.com/ee/user/project/import/github.html#i... and we get everything from issues, merge requests, to labels milestones, comments, etc.)
- Doesn't have excessive server side dependencies or resource requirements
- Doesn't have unnecessary client-side requirements (should be fully usable without JS, should not load a million resources to render a single page)
- Doesn't make any external requests (except for things like third-party logins where there is no other way)
- Has decent UX and visuals
Truly terrifying how integral the internet has become and yet due process is nowhere to be found.
Support (chat only) was mostly unavailable and would disappear before answering, or ask me for things at times I was asleep and be gone when I woke, or send me around in circles.
After some research I picked up that their Facebook team was much better than customer services. So I DM'd someone in the bank's Facebook team, and my account was unblocked within 20 minutes.
https://github.com/marketplace/actions/mirroring-repository
Also this only does the initial cloning, I still need to implement pulling down new commits.
But, the majority of the boilerplate is taken care of, like for authenticating to their API.
PRs welcome! And don't forget to fork it ;)
[0]: https://github.com/TwoRingSoft/tools/blob/master/bin/sync-fo...
https://github.com/clockfort/GitHub-Backup
"GitHub has the right to suspend or terminate your access to all or any part of the Website at any time, with or without cause, with or without notice, effective immediately. GitHub reserves the right to refuse service to anyone for any reason at any time."
https://docs.github.com/en/github/site-policy/github-terms-o...
People, please read and question terms of online services.
https://twitter.com/technocrypto/status/1283038543577788417
But no, instead one runs around and starts a petition.
For him, I would expect to call out the clause that "allows" GitHub to do that as it is quite sure illegal in some European counties to have such a arbitrary termination policy. And maybe even start a legal case about it and call for support.
But this way it simply sounds like "please take me back" begging.
It provides (or may provide) a stronger legal backing for GitHub if they have to terminate service for some reasonable reason that cannot be anticipated or enumerated in advance, in other words a judgement call, where the termination of service might be challenged legally or result in a lawsuit.
There are surely situations where action rather than pussy footing would be the right thing for GitHub to do, against a vexatious user with a penchant for abusing the service and using the legal system to incur costs on GitHub while doing so.
It would be much better if the clause was not so draconian. But I'm not sure what kinds of termination clause would protect GitHub in situations where it needs the flexibility to make judgement calls.
(ps. I don't want to imply the OP's GitHub account is in this category; I'm sure it isn't. I'm talking only about why the clause may be in the ToS.)
I wonder if you posted anything that did upset their Gestapo knowingly or unknowingly because it doesn't matter. Maybe you used a variable than contained the word "blacklist"?
Maybe it was a mistake, maybe you did something wrong. But maybe you've been neutralized by the silicon valley thought police.
This is absurdly counter-factual.
This is not contributing to a discussion. Expect that flamebait (including name-calling) is going to get flagged.
It has nothing to do with which side of the political spectrum you are on.
Your comments are downvoted because you have written in an attacking, nonsense style. They are low quality comments, and HN is a place for higher quality discussion.
If you wrote a "liberal extremist" comment in the same style, that would be downvoted as well.
Attacking other users ("SS thugs like you") is especially unwelcome here.
As someone generally critical of radical left-wing politics (in fact, any radical politics), you are not doing yourself (or anyone) any favours by using ad hominem arguments like this. Please just stop.
Bruh, first time I'm hearing "liberal" and "SS" in the same sentence. Never thought of those folks as liberal before.
https://www.washingtonpost.com/outlook/2020/02/05/right-need...
Including in Congress:
https://www.vox.com/2019/3/27/18283879/nazism-socialism-hitl...
You won't find many right-wing candidates for office proposing removing Social Security and Medicare.
https://news.ycombinator.com/newsguidelines.html
We ban accounts that post like this and like your other comments downthread—regardless of which ideology or politics you favor. No more of this, please.
https://docs.github.com/en/github/supporting-the-open-source...
Gitea is very lightweight and simple to manage. I use mine as my primary server for personal projects and mirror them to my GitHub account for the network effect. I also have my server mirroring several upstream projects from GitHub to run my Drone build server against, but it also makes sure I can access them should anything happen to the upstream or to my account.
But everyone should have a system to take backup of their org accounts on GitHub and other services if thats what you use. You don't want the apocalypse scenario that the service bans you and now you are all scrambling to find the latest copies on your PCs.
https://dev.to/lucis/how-i-got-the-github-username-of-my-dre...
https://dev.to/yg/how-i-got-two-letter-username-on-github-i1...
Perhaps someone is trolling him as a result...
https://dev.to/yg/comment/11cog
It is time that all countries introduce laws that prohibit online monopolies from denying access to their users without good reasons.
I think we need another word for these companies that are way to big and "monopolize" certain online spaces/communities.
"[...] the U.S. government accused Microsoft of illegally maintaining its monopoly position in the PC market primarily through the legal and technical restrictions it put on the abilities of PC manufacturers (OEMs) and users to uninstall Internet Explorer and use other programs such as Netscape and Java." [0]
"The plaintiffs alleged that Microsoft had abused monopoly power on Intel-based personal computers in its handling of operating system and web browser integration. The issue central to the case was whether Microsoft was allowed to bundle its flagship Internet Explorer (IE) web browser software with its Windows operating system. Bundling them is alleged to have been responsible for Microsoft's victory in the browser wars as every Windows user had a copy of IE." [0]
I do agree that exclusive control may not be needed. However, Microsoft was engaging in other anti-competitive behavior. It's not like they're restricting Windows users to only use GitHub.
[0] https://en.wikipedia.org/wiki/United_States_v._Microsoft_Cor....
Does GitHub do anything to actively prohibit the use of it's competitors?
I reckon for open source the "de facto standard" plays a much bigger role, because of the user expectation to find projects on Github.
If GitHub is truely hostile to you, taking your business elsewhere (or hosting it yourself) shouldn't be too much of a roadblock for people with sponsors like OP.
Google your office IP address, maybe it got listed on some spam forum and GitHub and others used it.
Given you have sponsors, this is a pretty big mistake on their behalf. Probably just a mistake, hope they restore your account.
Support won't respond to your emails because it could be the attacker impersonating you, or he could still have access to your email and get info that way.
This is Standard Operating Procedure I've seen applied on stolen accounts in MMO videogames involving stolen credit cards and organized crime. Sometimes wait time was 6 months with no contact, because they needed to keep the evidence under seal for the police investigation and avoid tipping off the attackers.
Your 2-letter nickname and access to important projects makes your account a high-value target.
Did you have 2FA enabled?
edit: usually the email account got hijacked first, defeating the 2FA/1-time token. SMS is also easily hackable.
Another vector is the as of yet unfixed GitHub "ghost" bug, which I discovered and detailed here: https://github.com/git-rest/spooky
Note how you can read that repo, but the account https://github.com/git-rest doesn't exist.
edit: the ghost repo is cool trick. Is there a writeup anywhere?
Also op said they do have 2fa, which makes this excuse even poorer.
For sure this. People go crazy for this stuff and sell access on the dark web (https://gimletmedia.com/shows/reply-all/v4he6k/)
You should probably change that to 07/08/2020 if you're targeting American audiences.
Just a little part of why I hate and mistrust that company.
Even as a paying customer for many years, my account was disabled – without even receiving an email warning. I only discovered when browsing issue histories where I knew I'd left detailed comments, and noticing my comments gone without even a note about deletion, leaving threads nonsensically fragmented.
When I tried to login, I was only faced with a generic "activity that looked malicious" message – but no hint of what that might have been. Once I complained, I was restored quickly – but if I'd been on extended vacation, or perhaps even passed away, there'd have remained giant holes, indefinitely, in projects I'd contributed to.
Was anything I legitimately did as myself suspect? (They couldn't say.) Was some third party trying to get access – or did they even briefly succeed, perhaps with some compromised credential somewhere? (That was my fear – but they couldn't say & there was no evidence of compromise in what I could see.)
After several angry emails about how they shouldn't accuse a longtime paying account in good standing of 'malicious activity' – creating fear of an account compromise of unknown extent – they finally said no, it wasn't unauthorized access (or attempts thereof) but some comment (unspecified in age/topic) that a filter deemed similar to other malicious comments.
I'd paid them ~$600 over the previous 5 years, and still had an active subscription with working billing details. My account was nearly a decade old with a wide variety of contributions & comments. But still, an automated system with no apparent human review disappeared my account, without even generating a notification.
When you have 40 million users and a few hundred people running the system, all kinds of issues just sit in queues never seen by human eyes until a gigantic stink about it is raised.
The usual issues arise about enforceability as long as this is only European law, and about ambiguity in the way the GDPR itself is written.
However, it seems likely that arbitrary deletion of personal data like this could fall foul of the requirements for integrity and availability, particularly given the GP was a paying customer.
> The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
And any exceptions still require the data controller to provide:
> suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
If this is a thing that happens at Github, I guess that's another reason to check out Gitlab instead.
Not that those warnings were heeded, of course, as usual.
I would argue that we should encourage more platforms (paid) that can host git and not just depend on github or gitlab. But those 2 are successful because they were some of the early ones and then got a lot of money/funding. There may be other alternatives but no one wants to put their code with a small risky company that may not exist tomorrow. IF we can solve that problem, I think we will be ok.