696 comments

[ 3.5 ms ] story [ 472 ms ] thread
That's crazy that a manual error by someone, for whatever reason, end up being an article blaming Github for all sort of reasons. And never accepting that the thing that really failed here is the user who performed the action.
They do raise a good point about the UI though, explicitly showing "you're about to nuke 55k people, are you sure?" would make the user pause.
I have no dog in the fight here, and no affiliation to HTTPie, but this definitely seems like a Github issue to me. You can't just give users ways to easily and accidentally shoot themselves in the foot, and then blame the user for shooting themselves in the foot.
Who got shot in the foot here? The article keeps talking about killing 55 thousand people. I’m trying to grok why “unstarring the repo” is such an earthshattering thing. It’s annoying if you wanted it starred / wanted notifications, because you have to notice and redo it… but there’s no irreparable harm, no data loss.

This reads like somebody was placing way too much personal mental value on “the repo for my project has a large number of stars”

Have you been living under a rock? Everyone judges repos by their amount of stars. Why do you think every social media network has the concept of likes?
Can you just clarify if that statement was sarcastic or not?

I've had a very different experience around stars - they're just a bit of fluff and pretty unimportant compared to watches.

HTTPie's watches were irreversibly deleted, too.
> Irreversible

If the watchers still care to watch, they can choose to watch again.

That's not a reversal. If I burned your diary, you could write a new one, but nobody would call that a reversal.
They didn't burn a diary. They burnt the list of people who subscribed to updates to a diary. If those people still care about the diary, they can resubscribe to those updates.
It's crazy to me how quickly this conversation has devolved. If Pewdiepie had all his Youtube subscribers deleted should he just say "oh well, the ones that like me will come back". No. Because that's an absurd attitude. Obviously that would forever hurt his viewership. Github is no different with stars. They matter. Period. Maybe not to you. But they matter.
Pewdiepie's compensation is intrinsically related to his subscriber count, no? That gives him a reason to care. Is your compensation similarly related to your github star count? I sure hope not..

If I unstar your repo, I have not taken anything from you because you never owned my star in the first place. Github presents this number to you as though it were important, to give you a dopamine hit when the number goes up. Their motivation for doing this is obvious. If you fall for this trick, that's on you. You have the choice to stop caring.

And even if the premise of these metrics being important were accepted, the fact remains that the removal of people from the watchers list is not irreversible. No irreplaceable documents were destroyed. No diaries were burned. If the repository had been deleted, commit history erased, that would be comparable to a diary burning. But that's not what happened (and would probably still be reversible.)

>If the repository had been deleted

For which to happen you've to do the same thing: type out its name. So I wonder if people ask for privatize to be presented with number of stars, should when deleting a repo GitHub present you with number of commits, issues, releases, etc as well?

Assuming you're not being sarcastic: a company providing a metric and telling you to care about it does not oblige you to actually give a shit.
I feel like a parallel universe has suddenly intersected our own.
So all those people got notifications and then some of them looked further at the notifications and then engaged. Now those people won't get those notifications and won't engage. Most of these people won't notice they don't get these notifications. They won't resubscribe. They're lost forever. This is kind of like losing your email list.

Your comment reads like you don't understand how a community works.

If the measure of community is “people who get my emails, and wouldn’t notice if they stopped getting my emails”, then yea, I guess we just disagree about what a community is.

I’m on an email list for marketing message for a hotel I stayed at last year. TIL that I’m part of their community.

Yea, over simplify it, that's always great.

If you focus solely on the getting notifications part. But the core part of any community is the ability to broadcast news to them. If you remove the ability to broadcast news and falicate communication between members then the community fades. Especially, if it's remove.

Not all members of a community are extremely active, some aren't that active at all if you remove the ability to let the less active people know stuff that may be of interest to them then obivously it'll damage a community.

To be fair, people very active in a project will probably realize relatively quickly.

Those most likely lost to the wind forever are the ones that star a repo and forget about it.

I think the problem self corrects but agree there's a short term slowdown possibility in the wake.

You don't get notifications after starring a repo, they're only a measure of how popular the repo is. The repo did legitimately lose its Watchers, but the author seems a lot more concerned about losing (and getting back) the stars.
It's very much a matter of reputation. Losing the star as a user is a pretty small inconvenience, tantamount to losing a bookmark.
> there’s no irreparable harm, no data loss.

There's a repo-user join table that is gone. That's literal data loss. If I delete your contacts, is that data loss? I mean, you still have your phone and all your ex-contacts still have phone numbers.

I've never considered data I deleted to be lost.

"Do you want to delete this?"

"Yes"

"Are you sure?"

"Yes."

....

"OMG it's all gone!?!?"

It's not so easy to make this accident - one needs to type the full name of the repository. AWS does the same, for example, when deleting RDS instances, and I find it effective.
This is explicitly addressed in the article, and a compelling case is made for why that safety measure was ineffective in this case, I encourage you to read the article
Yeah. I'm not sure what else you can do with warnings other than make the person effectively recite back the thing they're doing.
There was an explicit suggestion right there in the article what else they could do, so you don't even have to guess.

Typing in the number of objects that would be deleted in addition to the name is something else.

Or, they could just keep all of them in place, but hidden, and "restore" them all automatically if you made it public again.

There are lots and lots of things they could do better, if they cared. But paraphrasing Eunice, of course they don't care, they're Microsoft.

> There was an explicit suggestion right there in the article what else they could do, so you don't even have to guess.

I read it, but I disagree.

Honestly I don't think it would have prevented this. If you're muscle memorying past warning signs the text on the warning sign isn't going to matter much.

My point was purely about UX, obviously there are technical solutions to this problem.

> If you're muscle memorying past warning signs the text on the warning sign isn't going to matter much.

Do you have any concrete evidence for this? A lot of people keep saying this but don't provide anything factual in the way of UX studies, etc.

Well it's exactly what happened in this case. The user got a sort of warning fatigue with the UX and familiarity with it made it easy to do without much internal debate.

But I think some other UI flaws contribute to that in this case.

Comfort with a UI means eventually you want it to get out of your way and your brain will do what it needs to streamline the process. At which point those elements intended to break the flow of the app no longer do.

A Firefox use case w study and their approach.

https://medium.com/firefox-ux/designing-better-security-warn...

Good discussion of the problem:

https://ux.stackexchange.com/questions/44609/how-do-i-avoid-...

My takeaways are as follows:

The best thing to do is provide undo. Then you can reduce the hoops people have to jump through because the consequences are less severe.

Simplify the modal so the text about what will happen stands independently enough to be parsec on first glance.

Show quantified data on what could happen. Instead of "you will lose all followers" which is true for any app, display "you will lose all 54,318 followers"

It is a big failure by github that making a repo private immediately and irrevocably destroys all the stars.

That's a much bigger failure than clicking the wrong button.

Having read through the article I'm really not getting the same vibes of Github being wholly blamed for this mistake - they clearly call out their own user error directly in the article but offer suggestions to make it less of an issue in the future. I got the sense that a long time user had went through a hellish week of trying to restore data and is feeling bitter but mostly just wants the product to improve.
With that mindset, planes would still fall out of the sky every month. Because basically 90% of plane crashes used to be "pilot error". If you then say, well, it was pilot error, bad pilot, can't do anything about it, that's the way it is, pilot should've not made an error... well, then we wouldn't have reached the amazing aviation safety we have now.
Likewise, surgical deaths. The number of people dying on the operating table is in sharp decline because hospitals have lately begun to institute procedures that make mistakes non-fatal.

An early one was making the "oxygen" knob on the anesthetist's gas panel not go to zero. But it appears lots of people here can't imagine why that change was made.

Pilots and doctors are two great examples of customer pools where UI/UX actually gets a significant amount of attention because we all realize how high the stakes are. I imagine the FDA has zero tolerance for vendor software that is bundled with dark patterns that encourages doctors to promote the prescription of certain drugs over others... at the same time we have quizzes that have made it to HN multiple times[1] that reinforce the "correctness" of dark patterns.

UI/UX often gets overlooked as being unimportant, and, as a backend person I can definitely sympathize, but when you're building a product that people use for important things it is important to give UI/UX the attention it deserves.

1. https://cantunsee.space/

> I imagine the FDA has zero tolerance for vendor software that is bundled with dark patterns

Here's a recent case of a nurse going to prison for a medication error, where the UX of the medical cabinets is blamed in a big way: https://khn.org/news/article/radonda-vaught-fatal-drug-error...

> The case against Vaught hinges on her use of an electronic medication cabinet, a computerized device that dispenses drugs and is widely used in hospitals > > ... > > Vaught triggered an override that unlocked a much larger swath of medications > > ... > > Some experts have said cabinet overrides are a daily event at many hospitals. > > Vaught insisted in her testimony before the nursing board last year that overrides were common at Vanderbilt, and that a 2017 upgrade to the hospital’s electronic health records system was causing rampant delays at medication cabinets. Vaught said Vanderbilt instructed nurses to use overrides to circumvent delays and get medicine as needed.

I think there might be a difference between losing a plane and losing your “GitHub stars”.
It is a difference of degree.

People making bad UIs make them that way regardless of consequences for users.

Planes have plenty of ways you can deliberately turn off systems and kill everyone on board. And they require less work that having to retype a whole text into a confirmation box.

You missed that besides fixing UX, we also train pilots to think about their actions, talk to copilots about their actions, take responsibility for their actions and most importantly, not to press buttons on "autopilot".

That's a completely different situation and defending learned stupidity of just clicking ok to everything.

What could the author have done with this post that would take it from being “blaming” into “giving feedback in an earnest intent to save others future pain”?
Drop passive aggressive comments like the one about how they're going to stop wearing their GitHub T-Shirt because of how GitHub subjected them to the same treatment that lesser and more unworthy projects would have received.

Even using words like "future pain" is pretty crazy. "We lost 54k GitHub stars"? They're imaginary internet points! Cope.

It sounds like you are ok with the post, except for the one sentence before the epilogue?
Acknowledge their own agency and responsibility.

Literally stop blaming with language like “GitHub deleted…”

How would you word that sentence and remain factual about the deletion?
“I accidentally made a repo private, which resulted in all of its stars being removed.”
From the post:

> Due to an unfortunate sequence of events, I accidentally made the project’s repository private for a moment. And GitHub cascade-deleted our community that took 10 years to build.

This reads the same, to me, in terms of cause and effect.

I swear there's something in the water. This entire thread has a ton of nastiness/bitterness in it.
In terms of cause and effect yes, in terms of attribution no.
I’m sincerely struggling to understand - what is changed by referring to Github as the subject of the second sentence, as opposed to leaving out Github in the version you proposed?
It’s active voice vs passive voice.

People frequently use the passive voice when referring to how software works. Like, “I entered my PIN and the phone unlocked”. “I entered my PIN and the phone unlocked itself” is maybe common too, but less common is “I entered my PIN and iOS unlocked my phone” or “I enter my pin and Apple unlocked my phone”[0].

Using the active voice shifts responsibility and autonomy for the action away from the author and onto GitHub. (Which, I mean, is exactly what the author was trying to do I think. But we were talking about ways the post could be changed to do that less.)

[0]: This is confounded a bit by GitHub being both the name of the software and the company. In context though I believe they meant the company?

Thank you for a patient explanation. I see that using passive voice leaves out all other decisions, choices, influences, etc. And I agree that active voice is a shift to bring those into the mix.

I think the point I’m hung up on is I just don’t see blame in my version. I sincerely read it as a factual retelling, including GitHub (the software) as an agent that responds to commands and performs them. It makes me wonder where the borderline (if there is one?) would be between statements that convey neutrality versus seeming to be accusations (perhaps unintentionally and undetectably).

I am curious what you do see as GitHub the company’s contributing actions to the overall situation. And where the accusation line might be.

Clearly someone or some group of someones at Github built the functionality. And, in so doing, made it possible for an accidental deletion situation to exist, even if at the time they did it completely in good intention and with included warnings.

At some point though, Github themselves deleted data on their own repo by taking it private. They followed up by restoring their data, and not changing the dialog to be more clear.

Are any of these statements blaming, to your eyes/ears?

Github UX team has a responsibility to its customers to make this error MUCH harder to make than it is
I suppose you never take a backup because everything should be in ideal conditions. If you consider manual errors as non existent, you need to rethink your design.
It's true that this is "PEBKAC" but it's also true that this is a UX/system design failure on GitHub's part.
To borrow something from safety engineering - there is no such thing as an operator error, only bad user interfaces.

I definitely think this is github's fault for creating a system where an operator error is likely. OTOH stars are such a vanity metric that i can't be bothered to feel too sympathetic because who cares about stars?

In a normal organization where stuff like this happens one has backups since one runs these things internally.

Humans make mistakes all the time. We build systems to try to mitigate these and build them better by learning from new mistakes.

It does strike me as unfair that GitHub themselves made the exact same mistake but were able to fix it with database backups.
I'm just surprised that after going through that pain themselves they didn't decide to revise how that social linking data is handled. A lot of github content is softly deleted by necessity, you couldn't nuke tickets written by a now non-existent user or unmerge PRs so this isn't really a new concept to the team.

I don't think it's surprising they'd do such a thing for themselves and not a customer - I'm more surprised they didn't remove the footgun for future mistakes on their part.

(comment deleted)
Or simply automate the restoration! They know how to do it! Make it easy!
True. On the other hand - Atlassian did automate their backup restoration. Look where it brought them ;-)
Obviously you need to automate the restoration of the restoration!
Internal vs External support.

Internal support is inherently limited: the single organization is of limited size.

External support has no limit in scope, you have to setup SOPs (Standard Operating Procedures), communicate expectations, likely hire support staff...

Look at it this way: internal support is helping your friends, but external support requires setting up contracts.

I get that, but they probably shouldn't have publicized the remediation via a public tweet if it's an avenue that's closed to the rest of us plebs (since in cases like this, it really feels like salt in the wound).
I wonder how different the response from Github would be if this blog post was instead, "Oops, Github's confusing UI made me delete the entire project metadata... so since we're forced to start fresh we decided to move to Gitlab/sourcehut/etc."
(comment deleted)
There is no way in the world that the kind of person who writes a post like this and clearly places so much emphasis on gamified social media stats as a proxy for self-validation ever chooses to move to Sourcehut. No way. GitLab is most likely out of the question, too. The author of this post is exactly the kind of ideal customer for what GitHub is "selling" and that the others can't provide.
There was a way to say this without framing it as a personal attack. The author may care about stars because they find that increased engagement leads to higher quality contributions, for example.
httpie would never do this. Deleting their stars is already a blow for their community, but changing to another provider would kill it.
And yet they specifically call out Microsoft. And then the only consequence is "I will probably take a break from wearing Octocat-decorated t-shirts."

Which makes them come out as hypocrites. You don't get to blame Microsoft for EEE, and then continue to help them with it !!

Just as AceJohnny said, the scope of this is entirely different. Restoring a backup for an internal project costs time/resources that the company can easily handle. If it became a problem it would be easy for github to tell their internal projects "No, we're no longer restoring from backups"

Opening up the ability to do that externally would potentially require multiple people working full-time to handle the requests.

"We even offered GitHub financial compensation for any resources required." Considering the tone of the article I think there's a very high risk if github accepted agreed to that we'd see an article titled "Github charges popular open source project $5000 to fix a minor accident"

Or, knowing that it's the only way they have to recover from this situation, they could make the process easier to do and price it out as a service.
Or, just leave everything in place, always, and have the other code ignore the annotations for exactly as long as the repo is private.
Just FYI - you can star private repositories so it's not quite that simple. You'd need to determine if the starring aligns with permissions... but I think it's still relatively reasonable.
Ok, then have a separate button: "Delete all 54,000 stars on this repo", completely independent of public/private.
When you think about it, it seems reasonable, I think about what would happen if it were me.

If I was working at GitHub, and I nuked something, then the rest of my day would be un-nuking that thing. On the other hand if I was working on something totally unrelated, and then you my PM came to me and said "can you stop what you're doing and unfuck this thing" it would obviously depend on what I was working on.

It's your customer (repo owners) asking for support and throwing it away being busy is just lazy attitude. You had prior incidents and the bugs were left as is and apparently it will happen again.
Being busy is lazy? GH has hundreds of thousands of customers. In your company, how often do you immediately drop everything to work on a single customer's issue? How often do customer issues sit in a support queue? What would be the reasonable turn around time for an issue like this?
It would strike me even more unfair if GitHub fixed this mistake only for customers they like.
I would observe that even today, the GH desktop repo has only 14k stars, and at the time, archive.org says only 2.6k[1] - so I would not be surprised if the costs associated with the restore were massively different.

(Not weighing in on whether they still should have considered it or not, just observing that their claim that it costs an unacceptable amount may not be inconsistent with having restored a much less comparatively "hot" repo.)

[1] - https://web.archive.org/web/20201116172809/https://github.co...

(comment deleted)
Why do they even delete those stars?
When the repo goes private, people who can’t see it any more can’t have it in their list of starred repos.
why not just do not display it and keep stars?
So mark the repo as private without their permission to view and have queries for starred repositories ignore repositories you can't view - that's an extremely frequent approach to take with complex permission and social functions. I completely understand that not everyone has time to build everything and software is an evolving process - but soft deletion for social links is my default state of mind (then you overlay it with indexing or caching or whatever your performance flavor is to make sure those soft deleted rows don't exist in the active query space).
I mean, they totally could have built it that way. But they didn’t. I was answering why stars were removed.

From a data complexity standpoint, it sounds like they decided they didn’t want to have to make calls to the authorization layer when parsing a user’s stars. The downside is the behavior seen when a repo goes private, but my bet is that repositories being made private is far less frequent than calls to get a list of starred repos.

I totally get that - it's not an insane design decision it's just different from what my default suggestion would be. And to be honest - your source of truth database, on a system of this scale, is likely going to be detached from your pool of active data (possibly with some data shadowing, caching - what have you).

The thing that throws me off is that they shot themselves with this footgun - whenever we (munk-a's employer) footgun ourselves we remove the footgun to prevent future footgunnery. They made the original design decision one way, and when they were burned by it they didn't re-examine it.

FWIW, if the blog post had centered around “GitHub, it’s strange to me that you made this mistake and didn’t reevaluate the root causes, and now I’ve made the mistake and it sucks”, I’d not be griping all over the comments here.

It’s the framing that GitHub has inflicted a deep, irreparable wound to the author that I can’t reconcile with the facts.

> From a data complexity standpoint, it sounds like they decided they didn’t want to have to make calls to the authorization layer when parsing a user’s stars.

You can also solve that by adding a flag column, or putting privated stars in a different table. That tiny bit of denormalization shouldn't be more expensive than the current process, or the other costs of privating/unprivating a repo.

Why not?

I think the respectful solution is to show it as "you starred X, it's private now, you can unstar if you like" (make sure if the name changes privately then the new name isn't shown).

Such a solution is not only good in the case of mistakes like this, it also doesn't gaslight the person that starred a repo only for it to disappear from their list.

Or even make it so that those starrings that no longer have permissions to view the starred item just effectively don't exist because of data rules.
That's bad because it lies to users and you can't remove the star when it's in that state.
But if your star doesn't effectively exist why does that matter?
Because if the star is merely hidden then the repo can come back later. If you don't want any association with that repo any more, it's bad that it can put itself back into your starred list.
This may be the most hilarious misuse of “gaslight” that I’ve ever seen.

If I publish something and you save the link and then I decide “nah, I don’t want that to be published”, I haven’t gaslit you.

I think you misunderstood.

If you remove the content, that's fine.

If you make the link itself disappear from where I saved it, that's gaslighting.

Neither one of these is gaslighting.
Sure, to really count as "gaslighting" there has to be a deliberate attempt to make someone doubt their own sanity. I think we can rule out malicious intent in this case. However, when you save a link to something and then later come back to find the service acting like the link never even existed, as opposed to telling you that it was removed, that can feel pretty similar even if it's not intentional.

A user's list of starred repos shouldn't be silently abridged just because one of the repos was removed or made private. A placeholder should be left indicating that the repo was once starred but is currently unavailable.

This is something I always found annoying about Google Play Music also; when they removed a track from their service it would just silently disappear without a trace from your playlists, so unless you saved a copy of the list somewhere and compared them you might not even know to look for it elsewhere. You're just left vaguely wondering why that song never comes up in the shuffle any more. YT Music is a bit better about this—they generally leave a grayed-out placeholder. Sometimes the metadata is lacking but you can at least see where it was and know that a track was removed.

> it also doesn't gaslight the person that starred a repo only for it to disappear from their list.

It's honestly hilarious how the definition of 'gaslight' has expanded so dramatically in the past few years that it now means 'anything that confuses me'.

For future reference, here's what it actually means [1]:

> Psychological manipulation of a person usually over an extended period of time that causes the victim to question the validity of their own thoughts, perception of reality, or memories and typically leads to confusion, loss of confidence and self-esteem, uncertainty of one's emotional or mental stability, and a dependency on the perpetrator

Github did none of those things to you.

[1] https://www.merriam-webster.com/dictionary/gaslighting

Removing something from my personal bookmark list, with no notification, does in fact lead me to question the validity of my own memories.

That fits just fine with simpler definitions like "To mislead someone such that they doubt their own memory, perceptions, or sanity."

It's an expansion from the original context but I don't think it's an unreasonable expansion.

The origin of “gaslight” is a movie where a husband surreptitiously removes objects from the room, dims and brightens the lights, etc. and pretends the changes were just the wife’s imagination. https://en.wikipedia.org/wiki/Gaslight_(1944_film)#Plot

Removing bookmarks from someone’s list without notification seems at least broadly comparable (in both cases, the victim is confused and might question their own memory, because the state of the world changed in an incongruous way), though it is the action of an emotionless machine with a programming bug rather than a malicious human.

> albeit the action of an emotionless machine with a programming bug rather than a malicious human

Yes, if you remove a major part of the definition (intent) then it can fit whatever you want it to fit. Like Gino D'Acampo most famously said [1], if my grandmother had wheels, she would have been a bike.

[1]https://www.youtube.com/watch?v=A-RfHC91Ewc

I think it’s a fair use of the term. I’d maybe feel differently if there was a better term to use for “non-intentional gaslighting”, but afaik there isn’t really.
How about we coin a term today, "LEDlighting"? (Pronounced Led-Lighting).

"When a digital platform's state is altered in an opaque way without input on the user's behalf that directly commanded it to, and as a result causes them to question reality in the form of either their memory, the actual state of the system itself, or whether or not the system was intentionally made to do it by an unseen human."

Shadowbans, whether you think they're a good form of moderation or not, would be an example of LEDlighting.

In a game if the chat system stops working but the rest of the game works and everyone thinks they have been muted for some unknown infraction of the rules by an overreaching moderator, that's also LEDlighting.

(comment deleted)
It's just bad design never getting fixed despite several prior incidents except for GitHub's own project which they reverted.

Why do they not just give a public/private flag on star data than somehow modifying the data irreversibly?

For users, just remove the repo from their starred project list if it's not visible.

"It's their fault, they only showed 5 warning banners. A 6th one would have totally stopped me from doing this."

If a "type your repository name to confirm" box still doesn't make you double check that you picked the right repository, what else can they even do?

There's more nuance there:

> I didn’t realize at the moment there’s an inconsistency in the naming of this special repo containing profile READMEs and that it differs for users and organizations: name/name vs. name/.github.

It's not unreasonable for the author to have taken the action they did given what they were trying to do. The inconsistent UX for User vs Organization READMEs is a major factor in how the error happened.

And given the number of single-repo orgs where the org's main product repo name == the org's name, well, it's not as surprising I'd say.

I came in to say precisely this. It’s easy to point fingers after the fact but probably the person wouldn’t have checked regardless of the message in the dialog box.

“They warned me but because I didn’t read the dialog box because it was too boring!

if you RTFA he did actually read the dialog box (which is where he found out that it would delete the stars) he just didn't notice the 1 line in a 30+ line generic modal.

He accepts responsibility for what he did, but points out the very real opportunity to improve the UI/UX of a very destructive operation with real contextual data about what is about to be destroyed.

You can only confirm the dialog box by typing in that line you're saying he didn't notice.
Reads article and somehow misses it's entire thoroughly examined point, chides author for not paying attention.
If I understood the blog post correctly, the author wants the "You will PERMANENTLY lose: All stars and watchers from the repository" to be changed to "[...] X stars and Y watchers..." Which I agree would be a better UI.
Like so often we can easily judge this by how willing we would be to accept the same behaviour in real life and I'm pretty certain that most would not accept an UI where you could e.g. just give away your house by writing the wrong adress into some form.
I did RTFA. I do not accept the excuse that he didn’t read it properly. He skimmed it because he thought it was the same box but it wasn’t. He even admits that it contained the exact information that he was looking for. I don’t see any way he can complain.
Ok then.

I hope others are less judgmental of you than you are of them next you make a mistake in life.

I take ownership over my mistakes. I don’t try to blame others. The world would be a better place if everyone did that.
I believe the world would be a better place if we all showed a bit more compassion towards each other, but let's agree to disagree.
I am very compassionate towards their loss. It must suck to have mistakenly destroyed their community. However I draw the line when they falsely blame others for their own mistake.

You can be compassionate for a mistake and still insist someone take ownership over this own careless error instead of blaming others. You mistake compassion for “let them do or say whatever they want because they are a victim”.

If all you read out of that article was blaming, then you didn't read it very closely.

The main takeway that I took from that article was the seemingly low effort improvement that could be made to the UI/UX of that action, which could help other people not make the same mistake.

That's not about blaming Github vs. themselves, it's a reasonable critique of an existing system and looking for ways to make it better for everyone.

Unless you think there is no room for improvement in that system at all.

You need to read more carefully. The author goes through great pains to ensure he doesn’t admit fault. Never once does he say “okay I admit, I should have been more careful.” He doesn’t take ownership ever over the fact that he made the mistake. He thinks this is all GitHub’s fault because of his misunderstanding and carelessness.
Not going to lie, this sounds like classic projection to me.

You must focus a lot on blaming in your life if that's what you mostly noticed when reading that article.

There's no way for either us to really know the author's intent or what he thinks - beyond the words on the page - but you seem convinced that "where the blame lies" was a major motivation, even thought it's all between the lines even by your own admission.

I read it differently, so as I said earlier, let's agree to disagree.

I think the more you write the less you make sense and you’re really grasping at straws here. Nothing you say at this point is more than strawmen, meanwhile everything I have said is not only internally consistent but makes perfect sense. I think you should give it a rest.
Yeah, I also found that tone sort of jarring, but they do bring up a good point; the warning banner and inputs should be contextual and having to input the number of things affected would be a UI improvement. And I can understand why they would write this in anger/frustration.
I’m curious which statements from the article carried that tone?
I think in the "But theres a confirmation box, right?" and if I had to quote a portion I'd quote

>>"To paraphrase, the box tells you “You’re about to demolish a house. If there are any people inside, they will all die”. But it doesn’t include anything specific to break you out of your auto-pilot mode if you’ve confused the address and think you’re looking at an empty house."

>>"The dialog should be more contextual and, paraphrasing again, it should say “You’re about to kill 55,000 people.” That would’ve certainly made me pause."

Theres something about the juxtaposition that makes it feel like it should have been obvious. I think its because in those examples you would blame whoever didn't put whatever guard rail was necessary to prevent those outcomes. My suspicion is that it wasn't the authors intent and they were probably just upset, but thats an opinion I formed after reading the rest.

Thank you for quoting. I see where you’re coming from - the comparison to killing people is pretty hyperbolic.

Do you agree that, hyperbolic metaphors aside, the UI improvement suggestion is a good one?

go back and re-read the comment you originally replied to
(comment deleted)
Note the repository names here are "httpie/httpie" and "httpie/.github". I don't use github(but I do use git), but the difference between the two is not exactly clear to me.

They could show you the number of stars, follows, commits, creation date, the number of files, all sorts of things.

Also, note that github themselves accidentally set one of their repos to private, but restored it to a previous state through backups. If the move is so boneheaded, why did github make it themselves?

A better question might be why, after making the mistake(which was big enough for the CEO to tweet about), and restoring from backups, they didn't just fix the glitch and prevent this sort of behavior.

I’ve never liked those “type this string to confirm” dialogs. It doesn’t actually tell me what I’m confirming aside from the name of it (and names are easy to get muddled up if you’re tired or rushing through something). What’s more, dialogs like that encourage people to copy/paste those often long strings, which completely sidesteps the diligence they’re trying to encourage.

Whether you agree with the tone of that article or not, the UI suggestions made are sensible. Showing the contents of the repo you’re about to change is a lot more useful than asking someone to type the name of it.

> If a "type your repository name to confirm" box still doesn't make you double check that you picked the right repository, what else can they even do?

It makes you type user/repo, which is different in a serious way. It's easy for the difference between ".github" and "httpie" to set off alarm bells. But the difference between "httpie/.github" and "httpie/httpie" can slip through.

> "It's their fault, they only showed 5 warning banners. A 6th one would have totally stopped me from doing this."

The request is for the warning to say how much will be deleted, not to add another step.

The article spent significant space describing exactly what, and why.
(comment deleted)
Also seems a bit suspect that they had a "perfect UI/UX example" to show how they would have handled these dialogs. Is this whole thing an advertisement for HTTPie?
As much as I dislike the general tone of the blogpost (as well as specifics like expecting special treatment (ie restoring a backup) in exchange for money when 1) Github doesn't offer that as a standalone service and 2) that wasn't already in their contract), I don't see how the example UI is anything but a straight improvement.
Starred and watched again, it's a great project, hopefully the whole audience comes back soon
(comment deleted)
https://rachelbythebay.com/w/2020/10/26/num/ makes a similar point. I don't remember us saying people only have themselves to blame when that article was posted (https://news.ycombinator.com/item?id=24904204). Not sure why we're doing it on this post, which makes a number of completely reasonable and specific suggestions for improvement.
"Type a specific thing to confirm" (as suggested by the post you linked) is exactly what Github does for destructive actions. And the author still messed it up because they were on "autopilot". At that point the suggestions go beyond being reasonable.
You really think that adding contextual information in a destructive modal (i.e. "You are about to erase 54,000 stars") is "beyond being reasonable" ?

It seems like a pretty reasonable suggestion that doesn't feel like a lot of work, but could potentially prevent an irreversible mistake.

It doesn't suggest that you type a any old "specific thing". It specifically suggests that you type something to demonstrate you acknowledge the scale of the destructive operation you are about to perform.

The OP's main suggestion is along exactly those lines. It's actually less extreme, in some ways (see OP's "Lesson 1").

The confusion is justifiably well explained by the article:

> What put me on the wrong path was an otherwise completely unrelated action: I had just done the same (i.e., hidden an empty README) on my personal profile by making jakubroztocil/jakubroztocil private.

> GitHub’s conceptual model treats users and organizations as very similar entities when it comes to profiles and repos. In this context, and since I just wanted to repeat the same benign action on our organization’s profile, my brain switched to auto-pilot mode.

> I didn’t realize at the moment there’s an inconsistency in the naming of this special repo containing profile READMEs and that it differs for users and organizations: name/name vs. name/.github.

> That’s why I proceeded to make httpie/httpie private instead of httpie/.github without realizing my mistake.

This isn't "exactly" what Github does. The author suggests the number of machines to destroy in their example- a Github equivalent would be to use a number that represents the amount of resources to be destroyed. This is close to what the OP recommended.
They could very easily list the number of stars that will be deleted, as a sanity test. That in my opinion is even more reasonable than having to type the repo name, and should be implemented.
So you never copy and pasted into dialog boxes? This is exactly the same thing as the Windows warning messages were they found that nobody reads the because they are being trained to click them away.

The main thing I really don't get is why it even needs to delete all the stars? It's not like they delete all comments/issues... by users who have been deleted. So why could they not simply make the star point to a "ghost repository"?

> Of course, if you run into this a lot and you actually intend to hit that many machines, someone might start cutting and pasting the number. In that case, I would say that you're using that tool far too often, and should take a look at changing the way things are done to avoid having to rely on it this much.
That comparison spot the difference pic is really scary. I had to check it 2 times myself before I could spot that the last line is different.

Now that you're on the HN's frontpage, hopefully somebody from Github upper management will see this and all will be good soon thanks to gold old HN (especially when they did the same thing themselves and restored it).

Wish you the best.

> That comparison spot the difference pic is really scary. I had to check it 2 times myself before I could spot that the last line is different.

That's not the only difference. The other difference is that you also have to type the full repository name, including the organization name.

If they wanted to delete the correct repository, they would have to type httpie/.github, but instead they typed httpie/httpie.

It's unfortunate what happened, but without GitHub removing the possibility at all to delete repositories/change the visibility, I don't know what else they could have done to try to prevent it. It's really hard as a user to affect the wrong repository, as you are gonna have to mentally and literally pause to write out the organization name + repository (httpie/httpie in this case) and if that doesn't stop you, I don't think anything would.

> The other difference is that you also have to type the full repository name, including the organization name.

No, you don't have to type it, and I doubt anyone types it. You copy that line and paste it. Often it's done on autopilot, especially when in a rush.

I always just select the text and drag drop it in the text box with mouse.

In famous words of Mr. Larry wall, 3 great virtues of every programmer: laziness, impatience, and hubris.

I type it.

It’s typically short short, and it’s a very destructive action. It’s also very apparent to me why I would want to type it out.

That said, someone is going to make a mistake at some point. I’d expect better from github support here.

This topic really got me thinking.

A lot of us navigate by typing, be it CLI, in our IDE, URLs etc. And we must have got used to type hundreds of times our company or project names every day, in many places.

I can't imagine typing <project name>/<project name> in a input box triggering in us a lot consciousness or extra care. Typing something more unusual could actually be more impacting I think.

> I don't know what else they could have done to try to prevent it.

As the author of the post suggests: Prominently spell out "This will remove 54,000 stars." vs. "This won't remove any stars (there are none yet)."

I'm not convinced that would have really solved the problem. One could just as easily post a screenshot of two nearly identical dialogs where the only different is that one says "This will remove 54 stars" and the other says "This will remove 54,000 stars" and the same argument could be made that "the only way to notice the difference is if you happen to notice those 3 zeros."
It seems like a pretty easy feature to build. No database changes required, and I wouldn't be surprised if the API already returns the star count for the repo so it's client-side only. I'd guess somebody could do it in a couple of hours (famous last words lol). I'd guess adding that feature would be less time/effort than restoring httpie's stars. A/B testing might be a little harder since conditions like OP's don't happen often, but you could at least do some testing.
Another commenter suggested having to type the number of stars you’d be forfeiting instead of the repo name. Kind of a neat idea I think.
I think the only people who won’t notice three trailing zeroes are people who don’t need to
>I'm not convinced that would have really solved the problem.

It almost certainly would help. When you attempt to delete a world of warcraft character you are prompted with the character's level, among other info. This is the biggest difference you'll see between the delete procedure for a level 1 alt with < 1 hr played and a level 80 (or w/e) character with >10,000 hr played if you've named them similarly.

Because of the relatively low character limit and the popularity of alts, this feature (delete character) gets a lot of use and misuse so it's reasonable to expect the developers to have put some thought in to it.

In practice, they are extremely unlikely to be zeroes.
No amount of warning popups will help. The only solution is a delayed delete with the option to undo.
Until the next post by someone else that missed that warning and suggest to make the warning blinking with a big font
There is a difference between using UI tweaks (color/size/motion) to call out information, and actually displaying that information.

Right? As in, "this will affect 0 stars" vs "this will affect 54,000 stars" is an informational difference. Calling out "this will affect all stars" (without specifying a number) doesn't break a user out of doing it to the wrong repo, since that message is the same in both cases.

There are certain repository actions that require an interaction and assistance from GitHub customer support.

The community was valuable to GitHub as well.

I could see a spec on “sizable community thresholds” where if an interaction might blow away something of that size GH affords you an exchange with a “concierge” forcing a minor exchange with a real person.

This UI is predicated on the notion that the user will connect the word you're asked to type to the repository you're intending to modify.

Most of the time that's true, or we'd be hearing about this happening all of the time. But 'most of the time' is not 'every time'. 'Almost always' is also not 'every time'. This is a distinction that Human Factors people make that victim-blaming nerds do not.

You've seen the video on Youtube (or Reddit) of the guy holding the fish throwing his phone into the lake? He didn't do that because he was stupid, he did it because he made an executive decision to, "hold fish, take picture with phone, throw it in the water" and then his motor cortex swapped 'it' to the wrong hand and went on autopilot.

If you don't like that example, I know of a highly secure data center in Seattle that had the emergency power cutoff button pushed not once but twice by different tenants. The first time was a pure accident of bumping it while doing maintenance. The second time someone opened an acrylic case and pushed the button because they thought "buttons open doors, I see a button. Sure is weird that it is covered with a box... hey why did the lights go out?" You have problem, you observe action or object that solves problems (maybe not this problem), monkey brain attempts action to see if problem is solved.

Typing in the repository name narrows the gap between intent and action, but it doesn't close it. Technically making someone type, "Make hippie/hippie private" would at least make them spell out the intent, narrowing it again. But it doesn't make them state the intent. Strictly speaking, they are being told to transcribe text. Whether they parse the text they're typing or not is a separate step, in two different parts of the brain. Any of those fails to connect and you have a catastrophic destruction. From a Precautionary Principle standpoint, the consequences are exactly the same with all three options, and only the likelihood has changed.

If you want to make a big dent in outcomes you have to also reduce the consequences, not just the opportunity. Making all actions reversible is the most conceptually simple and the most technically difficult option. Parceling out consequences over time is usually less difficult, and if you pick an order that makes the feedback immediate, then the person realizes quickly that what they meant and what they said didn't line up, before the real damage kicks in.

Github is built around git. The two biggest ways to permanently lose data from git, one of them is protected by permissions and may be off by default. The other one is automatic but takes 30 days. That's two very different precedents that have been set, and they picked the wrong one to emulate.

> That's not the only difference. The other difference is that you also have to type the full repository name, including the organization name.

This is not true.

We had an internal tool at a previous job that required you to type the name of a service's cluster into a field before deleting it. Automated deployments sometimes got left behind - and users would go in periodically and clean them up.

If you watched folks, they would type the name of the cluster being deleted into that box UNTIL they had to do this many times in a row. As soon as it was a "batch" job, folks would go through the motion of:

1. click delete

2. double click service name

3. ctrl+c

4. click text input

5. ctrl+v

6. press "Confirm"

It was remarkable, after someone did this once, I don't think I ever observed them going back to typing in the cluster name. That algorithm of "copy and paste" carried over into every prompt they saw of that form moving forward.

I'm guilty of this too - I no longer type the prompted name for this form of confirmation dialogue, it's a copy-and-paste.

Lol, I do this whenever they ask me to re-enter my email/password for verification even though I know exactly the purpose this mechanism is trying to enforce.

Humans will always take the easiest route. We just have to accept that and come up with better solutions that aid humans or fit to our very weird nature.

> I'm guilty of this too

You and most of the rest of us, I suspect. Like I want to type that out every time...

I mean obviously users are going to cut and paste that output. It's completely hostile design in terms of usability on their part. What did you expect to happen?
I think you make a good point, the retyping is not perceived as a genuine sort of 2-factor step but is perceived like an annoyance. Maybe the consequences of the action should be shown in a screenshot with a 5 second wait. Personally the only reason it works for me as a 2-factor is because I think about what Github's intent is when they prompt me to retype the repo name and therefore I take a moment to reflect that I indeed want to do what I want to do. But isn't that backwards? I have to imagine what Github's intention was instead of simply seeing a ui and understanding it for what it is.
This is exactly what you start doing on Github too, since many repo operations require you to do it. Seeing this warning modal where you have to copy-paste some string is what you expect when clicking delete/make private/make public. I don't know if it really helps.
Maybe some kind of grace period could be implemented that would allow changes like this to be undone within 24 hours or something.
The other thing they could do is make user/organization structure for that profile readme the same - as he mentioned, he had just done it on his personal account, which is of the form `<user>/<user>`, so doing `httpie/httpie` for the organization made contextual/autopilot sense in the moment.
Just showing the two screenshots feels a little disingenuous though. It's not like that dialog just pops up randomly and asks if you want to delete a random repo, and the only way for you to know which repo it's talking about is to read that line near the bottom. In each case the path to summon that dialog had to go through direct interactions with the repo in question.
In both cases the dialog clearly warns you, with bolded text, on a separate line, of the consequences of your actions.

"We were in the top Xth percentile" makes the author sound like a complete tool and I have little sympathy for them, especially given they're already back to 3k stars.

Expecting the dialog to say "now, you've got 50,000 stars, are you REALLY REALLY SURE?" is just infantile, but really matches the overall tone the author has.

I'm afraid to think that these same people, having attitudes like this, are driving cars on public roads.
The dialog clearly warns you that if you have something to delete, it will be deleted, but it doesn't let you know if there is anything to delete.

That's not in itself a huge problem, but in this case it was compounded with the fact that the generic repo he was acting on is named inconsistently for users vs organizations, and he had just done it on his user account. If I'm reading correctly, a user's profile readme repo is `<user>/<user>`, while for organizations it is `<org>/.github`, and, crucially, `<org>/<org>` is almost always going to be the core project for that org.

So yes, the warning says you will lose all stars on the project, but in the moment it would have seemed (to a fallible human brain who was in a user-space context) that this was the right repo, whereas a "you will lose 54k stars" message would have broken the user out of that space.

You didn't lose anything, you asked for it to be removed by setting your repository private, albeit mistakenly. Something that is public (stars) cannot coexist with something that is private (your repo), otherwise unexpected things start to happen or you need to write a bunch of pointless edge cases. It makes sense. So does this article, but it should be a "lesson learned" and not a "GitHub fucked us" angle cause it pretty clearly tells you what you're about to do.
The article literally has a section "Lessons learned".
This is a similar attitude to blaming users who close an program without saving, telling them it's their fault; the program even asked if they really wanted to close without saving!

But, it's also totally possible for a program to store a backup, and let the user restore that the next time they open the program in desperation for not having saved their document in a moment of distraction.

> but it should be a "lesson learned"

Yes. And as the article notes, the lesson can be that software and UX can be make to accommodate better for possible user mistakes. I personally think it's nice to have Undo actions, or some ways to revert possible mistakes. It makes software way less scary :)

Why care? Stars don't mean anything, save for the few people who organise the software they use by starring it.

Certainly it's not a community owned by the maintainers. I don't own a connection with the people that upvoted this post, and stars mean exactly the same (effectively nothing).

Of course if GitHub were only a service for cloud hosting of Git repositories, it would be totally irrelevant whether or not the repository was marked private for 30 minutes.

But GitHub, by design, seeks to be as much of a social network as a repository hosting service and people take the stars very seriously. I’ve seen many CVs that brag about the candidate’s star counts.

>GitHub, by design, seeks to be as much of a social network

This is so true - not sure why it isn't getting talked about more - they even have a feed now [which is getting better every few days]

This change also clears out watchers. I was watching the repo to be notified of new releases (and security updates) and that was wiped out as part of this mistake.
The post is omitting that the user must type the name of the repository in full; in this case, they typed `httpie/httpie`. If one is in such a deep autopilot state, no amount of warnings will work.
Does anybody actually type those? They were a neat solution 10 years ago but they’re so common now for even inconsequential actions that I always copy and paste, on complete autopilot.
I came across such a prompt maybe three times total in my life, all of them making GitHub repos public or private, or deleting them. Made me stop completely in my track. So it seems to be very much dependent on what you do day to day.
The post addressed this.

> What put me on the wrong path was an otherwise completely unrelated action: I had just done the same (i.e., hidden an empty README) on my personal profile by making jakubroztocil/jakubroztocil private.

> GitHub’s conceptual model treats users and organizations as very similar entities when it comes to profiles and repos. In this context, and since I just wanted to repeat the same benign action on our organization’s profile, my brain switched to auto-pilot mode.

> I didn’t realize at the moment there’s an inconsistency in the naming of this special repo containing profile READMEs and that it differs for users and organizations: name/name vs. name/.github.

> That’s why I proceeded to make httpie/httpie private instead of httpie/.github without realizing my mistake.

There's a subtle naming difference between profile README repos for users and orgs that was the root cause of this. The user typed the repo name in however because it matched the same format for the previous profile README repo, it didn't register that this was not in fact the profile README repo they were looking for.

The post did not omit that, it included the very similar thing they typed as context for how they auto-piloted it. In that autopilot state having to type out 54000 would probably have snapped them out of it. I get why you'd think the author is being unreasonable, they seem to imply that this should already have been done, but I think that is mostly them feeling upset about the situation. The actual observations would be thoughtful improvements to the UI.
Your comment is omitting that the post covered this exact point in detail: they had just done the same operating on their personal profile where you have to type [username]/[username]. [organization]/[organization] is the obvious corrolary.

Anyways it's embarrassing that Github made this same mistake themselves, and yet couldn't spare the time for a massive content creator contributing to their platform

Not just embarrassing, disgraceful.
They address that in the post. Github treats organization accounts differently from personal accounts, and what would have worked perfectly fine and expected for a personal user account actually impacted a different and unexpected repo for an organization account. I would wager 99% of Github users would make a similar mistake in the same situation since they rarely deal with organization accounts directly.
GitHub made a cardinal UX design sin here: never use a warning when you mean undo [1]. If they had given even a five minute grace period before starting the irreversible process of removing all the watchers, this wouldn’t have happened.

https://alistapart.com/article/neveruseawarning/

Which comes with its own problems. What if I just published something I wanted to be secret? Then I need to be able to switch it back to private, and it has to be quick, not after five minutes. Distributed systems with eventual consistency already make fixes like that hard, not to mention caches and whatever.
The GP didn’t mean “wait 5 minutes before making any action”, they meant “stage the change so the user can see the result of their action but they still has a grace period to undo it”.
Or, have there be no need to undo anything. Why should ticking the "private" flag have any effect on anything else? If you wanted an effect on something else, a separate button "Nuke all 53,675 star from this repo", with its own protections, would suffice.
How would stars and watchers work on a private repo, though?
Just don't show them. Filter out private repos before showing a user's stars, notifying them of issues, etc.
Right, just more work. More tests. More edge cases. More time.
Well, they put in the time to test a massive cascading delete operation. Surly a flag would have offered far less possibility of catastrophic outcomes and therefore would been significantly easier to confidently develop and test.
Cascade delete is a less risky operation from a security stand point. There are so many edge cases where potentially sensitive information could get leaked with regards to subscribed private repos if not handled correctly. In fact I have personally filed a bug bounty with GitHub after discovering just such a bug.

I’m not saying there isn’t a better way Github could handle this situation. Just that I do sympathise with the decision to cascade delete.

If they are using a database's built in support for cascading deletes, and if the star tables are simple m2m tables (basically just 2 fk's per row), the work to implement and test cascading deletes is trivial.
Could just make them inactive for a while, but still registered.

Stop sending notifications to watchers, and replace the repo in the stargazer's starred list with a "The following starred repos are currently private and cannot be viewed:" and make the stars be remove-only for a while.

(comment deleted)
There is no undo there. 5 mins seems like a long time to you but to the bots that scrape GitHub repos for secret things, the time it took you to notice and reverse something yourself was already the time they needed.

If you made something public on GitHub that shouldn’t have been, it was immediately compromised, you just might not notice.

Making a private repo public could also be delayed.
It's understandable why warnings are used instead of undos though. Warnings are dirt simple to implement - probably a single line of code in most languages. Undo is very complex by comparison. You have to flag something for deletion and put it into some sort of deletion queue that somehow gets deleted at some future date, etc.
It’s definitely easier from the implementer’s point of view. That doesn’t make the UX any better, though.
Warnings can be done completely within the frontend, that probably makes them way more desirable for the company.
Hi newbie developer here, where do i find and learn about ux design priciples like this? Just curious, thank you thank you.
"Design of everyday things" is a great book to start.
Surprising amount of people blaming the user here. I agree completely with the author, the UX should be different for clearly "big" repos.
How big is "clearly big"? Whenever someone makes the same mistake with a slightly-less-big repository should the warning thresholds be revised to also show up for those?
It should just show the amount of stars / watchers for any repository. I don't think a custom strategy based on repo size is needed.
Murphy's law strikes again. Really appreciate the writeup. Making the best of the situation is a valuable lesson in itself. Hope you can get the stars back one way or another! =)
What can you purchase with GitHub stars?

More seriously, why do they matter? Is it a prestige thing only or are there practical consequences to losing the stars?

(Whether it's a good idea or not,) people often use stars as a quick-and-dirty proxy for "is this repo reasonably well trusted?" and "how big is the community for this project?". All else being equal, many people would default to using a repo with 20,000 stars over a repo with 20.
As a junior developer, GitHub star was one of the most important metric when I am choosing library/software.
A practical consequence (not necessarily the only consequence) would be for the people who starred it who use stars as a bookmark feature: they have now lost their bookmark.
Starring a repo is a way of tracking it. So now there are 55k people who were trying to keep an eye on the project who have silently lost that.

It's also an important indicator of community size and authenticity, important factors in the decision to use the code.

> silently

I’d argue that GitHub should send them a notification that the repo they starred has been made private.

And another that it was made public again. Or neither, and just not delete shit that there was no need to delete.
My point is that IF they delete everything, they should send a notification to the affected users. When the repository is made public again, then since they deleted the star relation it’s not possible to send another notification.
Unless, of course, if they just changed the column setting from "starred" to "was starred". As they could do. If they cared.
That’s why I wrote “IF they delete everything”. You’re saying they shouldn’t delete everything, which I agree with, but that’s not the case I was addressing.
The user said "delete this stuff". GitHub asked, "Are your sure?" User: "Yes".

Seems like a good reason to delete it.

No. The user said, "make it private". That has nothing to do with deleting anything.
I sometimes decide what to use based on number of stars. It's a trust in the quality of the software.

Now httpie is on 2.5k stars and if I only knew about it today, I'd consider using an alternative with 10k stars if there's any.

From personal experience and from reading the other comments, some people see open source as a popularity contest and more stars will get you more users (which in turn gets you more stars).

Choosing one library over another just because it has more stars is bad decision making.

Consider choosing a command line tool for making http requests. If you consider GitHub stars: - curl has 24.7k stars - httpie has 4.3k stars as of writing this - wget only has a mirror on GitHub with 264 stars

Does this mean wget is a bad tool? Does it mean httpie used to be vastly superior to curl with over 2x the amount of stars? I don't think you can really say anything meaningful about these projects based on the amount of stars, especially relatively to each other. Except for how many people clicked on the star button.

(comment deleted)
This happened to me as well. It's sad that GitHub doesn't retain that data.
They apparently do. Even if they did hard delete they still should have backups. They just got lazy fixing it after several similar incidents and this one was expected and yet all they do is a tweet saying "good luck building up the community again".

My faith in their tech department is falling when they can't fix such a small issue.

Heavily reminds me of this RubyConf talk: https://rc-temp000-videos.s3.us-west-1.amazonaws.com/Laura-M...

One of the core bits of the talk is about the sort of messages our automated systems give us, and whether they're sufficient, or woefully lacking - which is what the linked article is also talking about, when it talks about how the "warning: about to burn down a house" doesn't tell if anyone's in that house.

I really like this post.

While the author clearly feels bad about the fact that they've lost his community and that GitHub didn't restore it (which is honestly what any of us would've felt under similar circumstances), they're also focusing towards the future and using their personal experience as a parable all of us can learn from.

Lesson 1 on UI design I think is really important. I often think scary popup boxes are enough to get people to think about what they're doing, but this example clearly demonstrates that what's important is to use design not to scare (alone?), but to convey the information which makes a dangerous action dangerous as well. I also really like the fact that when the action isn't dangerous, the distractions ("Type this repo's name", etc) just go away. It's super intuitive, and (for a newbie designer like me) really helps build an intuition for various design principles put in action.

Lesson 2, which was to use soft deletes, is something I have more thoughts about. I assume that the cascading done on GitHub would be done on a FK constraint, but I'm not really sure how you'd do a "cascading soft delete" without making some kind of manual cascading logic? If anyone's aware of a standard way to accomplish this, please do let me know. Of course, the best way may just be to simplify the model so they aren't needed at all haha.

As designers and developers we've been given a chance to sharpen our toolkit. Thanks, HTTPie! You've gained a new star :)

Edit: Changed GitHub couldn't restore to GitHub didn't restore, as pointed out by @ncmncm (https://news.ycombinator.com/item?id=31033758#31034195)

> I'm not really sure how you'd do a "cascading soft delete" without making some kind of manual cascading logic?

Perhaps the delete action is not accomplished right away and a column is checked. Then after a X amount of months a worker process goes around actually deleting things?

The complicated thing is that every query has to look for the column.

Ideally, moving the entire serialized record to an archive table keeps things as clean as possible.

I meant to focus on the cascade part of the equation here. For example, lets say `stars` are foreign keyed (FKed henceforth) to repos, and (say) `X` are FKed to `stars`, and `Y` is FKed to `X`. Then if you do a "hard" delete of the repo status (or the stars), then we can set that to cascade to `X` and `Y` as well. Otoh, I don't think you can apply a cascade like that automatically when you're just changing a value (which is how a soft delete would be implemented, ig). Can you? Is there some really cool hook that allows this?
(comment deleted)
There is no need to delete anything at all. Set the "private" flag when the user asks for to make it private. Unset the "private" flag when they make it public again.

If it is needful to be able to delete stars, make a separate button for that. But it is hard to imagine such a need.

Stop. You've said the same thing a dozen times in this thread. Besides being repetitive, you're overlooking the obvious fact that having associations from non members of private repos to those repos is problematic. At the very least at the UI level, maintaining known dead internal links is bad form. So you'd be creating edge cases for the UI and probably numerous places deeper in the tech stack as well. Which is fine if you engineer solutions to all the edge cases. Perhaps after this incident they will consider doing so. But it's certainly not as trivial as you imply.
A childish response.

Feel free to address the points that I and others have brought up.

Mmh? Maybe it's because I've never touched frontend professionally in my life, but I think that if you're doing it in the UI you're doing it VERY wrong.

This logic should be purely in the DB model or very close to it. In any case the internal API should never ever list private repos of an organization a user isn't a member of, period. Stars or no stars. Follows or no follows. Why should it? There's no corner case here, if stars pose a problem, the problem isn't the stars, it's a defective model behind. Hiding things that aren't meant to be seen in the UI means putting business logic in the UI. Just don't.

Fair point. My intent was to point out the UX would be broken. But you're right, the data model that backs that UX is what would have to change.
> "that GitHub couldn't restore it"

What an odd turn of phrase.

Not sure what you meant? Are you pointing out couldn't vs didn't? If so, I didn't really think about it, although now that you point it out, I think didn't would've been a better fit. I'll edit it, thanks!
I mean "refused to". There was absolutely no value to Microsoft in refusing to restore the deleted information, and there was no practical reason to have deleted it at all. Ultimately, it just amounts to contempt.
"I screwed up. By the way, it's your fault. I hope you realize how many people think more highly of your service because my project is there. Why wont you accept some money for a service you don't provide?"

What's the value in capitulating to that? Also, a user saying "delete this stuff" is a pretty practical reason to do so.

Indifference != contempt.

Define the difference.
or maybe just incompetence? or just retro-1990s microsoft? what is this? slashdot in 1998?

i mean, this is the company that perfected the "throw it all away and start over" serviceability paradigm and the "we don't know what's wrong with it just reboot it every six hours" reliability paradigm for systems.

totally reliable business partner to trust for outsourcing critical business and government infrastructure for sure!

those who are serious and prudent seek assurance, for the reckless and feckless, there's azurance.

if the blog post doesn't work, i'd suggest renaming the project (specifically the cli) such that it makes reference to the hollowness of the new microsoft's apparent love for open source. that way when those thousands of developers (who happen the be of the exact variety that the dinosaur is trying to court) are invoking it every day, it can burn into their skulls to never ever work for, or choose technologies made by, microsoft.

score 5: funny, insightful

For Lesson 1: I think the general pattern that ought to be followed is to "prefer undo to warnings." Undo is often harder to implement, however it's usually a superior experience.
I agree that undos are pretty nice for when errors are possible, but I think there's a really good reason to put up warnings too. Let's say they accidentally made the repo private, but didn't notice it (unlike what happened here). Although you would be able to undo the change, it may have only kicked in once the news spread around (followed by reputation damage, etc). A well worded warning would prevent that.

In a way, I think warnings and undo serve two different functions-warnings are meant to inform the user of their action, and undos are meant to roll back actions taken.

There are definitely still cases where warnings are important, but the point of "prefer undo to warnings" is to eliminate as many warnings as possible to avoid desensitizing users. I should only see a scary pop-up if the action that I'm performing is going to be well and truly destructive.

Undo-instead-of-warning is a great pattern for lower-stakes actions that are easy to undo and cause minimal damage if left done. This allows the few warnings you do show to be recognized as truly important.

Even better, flipping "public/private" has absolutely no need to delete any information at all.

There could be separate buttons, "Delete all my stars", "Delete all my watches".

> Even better, flipping "public/private" has absolutely no need to delete any information at all.

Of course it does. You can’t watch/star a private repo unless you have access, so all watchers/starrers should be removed. If you kept the data as-is watchers would still see the repo updates in their feed, which is the opposite of the 'private' feature promise.

Sure, if you don't change any part of the system it has to be that way. But there's no reason a private switch can't just suspend stars/watchers instead of permanently deleting them.
I specifically dislike the "Lessons" section, as it throws all the blame on github and doesn't mention the seemingly obvious advice: "make sure you're not on autopilot when taking potentially dangerous actions, on github or any website".

Yes, GitHub probably should show the stars in the warning UI, and hopefully that will prevent some of these mistakes. But GitHub makes it pretty hard to make this mistake already - the author had to _type out_ the name of the repo they wanted deleted into the warning box. At that point, it's hard to believe the author when they claim that this one addition to the warning UI would have definitely stopped them when they weren't paying enough attention to notice they had typed the entirely wrong repo into the confirmation box.

My favorite example of this is that the cloudflare.com web UI has some extremely scary buttons, like a little "bypass CDN" button with a cloud on it that will rapidly increase traffic to your site 2-100x if you accidentally click.

I mean this isn't exactly how it works. But it's a bit scary.

I suggest you read "The Field Guide to Understanding 'Human Error'". You'd learn a lot.

https://www.amazon.com/Field-Guide-Understanding-Human-Error...

My view is that expecting humans to stop making mistakes is much less effective than fixing the systems that amplify those mistakes into large, irreversible impacts.

This, 1000x this.

It's easy to be an armchair engineer and say "well, obviously, don't make this mistake in the future".

As a species, we will always take shortcuts. If a mental pathway doesn't need to be exercised to do something, it won't be. If we see the same popup a hundred times, we're going to ignore the contents by the 100th time because we're used to it.

But it shouldn't be possible to make this mistake if this was designed properly and in a way that made it clear that what you're about to do is actually dangerous and not "dangerous" like the other dozen times you've seen the same message.

That’s not quite it. The solution isn’t to stop them from doing it or warning them more aggressively; it’s to make it genuinely less dangerous. For example, make the stars all come back when you reverse the switch.

Of course that’s a lot harder to do, since it’s a lot more than a UX change. So I’m not really slagging GitHub here. But it’s the right way to attack this problem.

True "Undo" is, IMO, a pipe dream for all but brand new projects. That will pretty much require you to rearchitect a decent chunk of anything that wasn't built with it explicitly in mind.

In this case, I don't quite understand why stars and forks need to be deleted when switching visibility, since it seems like the two shouldn't be linked. I can star and fork my private repos just fine, so it seems like it was just easier to clear it out than to deal with RBAC at that level.

I don't think any fork was deleted. 3.5k forks as of now vs 3.4k forks in January: https://web.archive.org/web/20220129022012/https://github.co...

Many people won't notice some of their stars having disappeared, but many would be surprised to see their forks deleted without their consent, especially those that are not merely a mirror. People can have diverged forks after adding substantial changes without feeding them back to the original for a variety of reasons.

Then don't "do" the delete, when the users "do" the delete.

Pretend to do it, actually do it 24 hours later, and if they "undo" the delete within that time frame, just remove it from the delete queue process.

Just not deleting them in the first place, or not deleting them until explicitly asked to, would suffice, and would be, ultimately, less code. So, I am not buying the apologetics.
It seems to me that services that pretend to delete data but don't actually do it are usually subject to criticism on Hacker News, not praise.
You did not read the comment you replied to. Why? And then, why reply?
The issue tend to be services who are not upfront about it. "This is potentially really damaging, so in case it's a mistake we'll just hide it for 24 hours during which you can undo" or something to that effect would be sufficient.
The counterpoint is that tools like that can be abused. Just as a hypothetical, if I have an open source product and do something the community doesn't like, I can make the repo private til the storm blows over so people can't un-star it. The number of people that remember to un-star it a week or two later is going to be a lot less.

I still think you're right, but it's not even as simple as UX and small backend changes. Allowing the repo owner to re-play other peoples' actions comes with complicated policy decisions. GitHub could make it so only support can restore those, but now they're in the awkward position of having to say when it's okay to restore and when it isn't. Still, it may be the best compromise.

> It's easy to be an armchair engineer and say "well, obviously, don't make this mistake in the future".

It's sort of equally easy to say Github should do X or Y to improve the UX in this (rare?) case without actually knowing the effort or opportunity cost.

Like maybe I'd rather Github figure out how to not have outages so frequently and how to not accidentally give people million+ dollar bills and such.

> Like maybe I'd rather Github figure out how to not have outages so frequently and how to not accidentally give people million+ dollar bills and such.

I doubt the engineers working on the stability issues or billing have anything to do with UX and vice versa. It's not like there's a singular focus that everyone at the company must prioritize above all else. Multiple people can work on multiple projects and not impact one another at all.

On one hand you have millions of users who each are obliged to walk on eggshells.

On the other, you have a few Microsoft hacks who could easily do the right thing on behalf of those millions of users.

Pretty much agree— Universal human fallibility is not an avoidable moral failure, but looking down on those who've made, admitted, and taken responsibility for simple mistakes sure is. Unrealistic assumptions about people's attention, processing capability, and physical capabilities may be the greatest hurdle when trying to actually solve people's problems with software. It can even be a safety issue— consider the Therac 25 incident.

That said, superlatives like "impossible" aren't realistic here. As long as an action is possible, it is also possible to fuck it up. The challenge screen does require typing in the repo name which is a pretty solid attention-getter. It would be nice to list the important side effects in big angry letters but I'll bet the list of side-effects that are important to some people would be pointlessly long. Maybe a sanity check requiring repos with extremes in certain metrics to get a sanity check from support first— but I have had some preeeeettty protracted response times from GitHub support.

> I'll bet the list of side-effects that are important to some people would be pointlessly long.

There's many good ways to design this that wouldn't result in pointlessly long lists (which is another problem). You don't need to expose everything that will happen when you do an action, just the "most important".

With unlimited budget, you could compare a bunch of metrics to a baseline to figure out what might be important. Have a lot of stars, way more than the average? That would be nice to highlight. Only have a normal number of forks? Probably less important to highlight that. At the end of the day, Github repos aren't extremely unique. Sure there's probably extremely rare edge cases, but for most repos, comparing against a relatively small number of metrics should get enough to paint a picture of what might get broken. Everything else can be hidden behind a "... and X more" if people are curious.

This both highlights the most important things that might happen, and also provide people with an action to do before confirming, hopefully helping to break the autopilot at the same time.

You assume the metrics you have are sufficient to determine intent and importance, that your users needs are uniform enough for those determinations apply, and discount the possibility of making things worse by communicating the wrong thing. These assumptions perennially land developers and inexperienced designers in hot water designing things like this.

> "most important"

Yes— the problem is determining the most important metrics for the human who's reading the dialog. Sorting the second part is a lot more difficult than the first.

> With unlimited budget

This framing is only useful to determine what behaviors would be great, not feasibility. We seem to both agree on the ideal behavior but not on the feasibility.

> you could compare a bunch of metrics to a baseline to figure out what might be important.

Important to whom?

> Have a lot of stars, way more than the average? That would be nice to highlight. Only have a normal number of forks? Probably less important to highlight that.

Average for what? Just average for everybody? For the deprecated SlackTextViewController which has vastly higher numbers overall than the unmeasurably more important net-snmp? What about for repos that serve as core functionality to frameworks that only care about forks? XML Schemas that people refer to but never interact with? What about for a company that doesn't care about stars because they're incredibly popular outside of that repo but it's critical for them to monitor the small number of people who've forked their repo?

> Sure there's probably extremely rare edge cases, but for most repos, comparing against a relatively small number of metrics should get enough to paint a picture of what might get broken.

The repo about which you said this mistake should not have been possible was an extremely rare edge case. The article went to great lengths to explore just how fantastically different this repo was. And if you're talking about painting pictures you're using the wrong medium. More information can make the message more pointed but only if it's brief and extremely relevant. If it's not, it's going to reduce the focus on the danger message.

> Everything else can be hidden behind a "... and X more" if people are curious.

Aaaand we come full circle. The whole point of this is to put the metrics most important to that user right in front of their face in bold type because that's going to stop autopilot mistakes. If it's hidden, it failed. Beyond that, the order in which you list things connotes importance— closer to the beginning means more important. Being hidden connotes far lesser importance. If you put the wrong things at the top and the right things behind a click then the autopilot user subconsciously assumes they'd care about the hidden things even less. You're increasing the risk of failure rather than decreasing it. If you're going to highlight anything, you better highlight the right thing.

The existing dialog is pretty clear that you should investigate what it does before you actually execute the command without giving people false clues, and that may be the best compromise. You don't convey false impressions but still convey danger.

> At the end of the day, Github repos aren't extremely unique.

From a quantitative perspective they're not incredibly diverse, even if they're probably more diverse than you imagine. What is immeasurably diverse is the roles those software packages serve, the people who interact with them, and what they need to accomplish their goals. Assuming you can boil that down to a heuristic using available data is something that needs to be concretely proven— not assumed.

Anyone wanting to dig deeper into the design side of this should check out Triadic Semiotics— it's the philosophy of signs.
Warnings are good but not perfect. At the end of the day, you can’t help everyone with just warnings. You could make the UI bright flashing red, with a skull and crossbones, have it say “Never invoke this: it will delete all your data and kill your dog. Please type ‘I_WANT_CANCER’ to continue.” And users will do it. It can’t be helped. The only (admittedly hard) way is UNDO.
It's a real strength of Gmail and some other Google interfaces — undo instead of warning dialog.
I think from UX perspective it is unbelievably more convenient as well. Plain popup warnings with "press Ok if you mean it" are bad enough, but quite recently the new even worse "type delete, if you want to delete, then press Ok" popup has been spreading about... If I want to delete over a couple of things I get incredibly irked.
There are a couple of issues with UNDO too:

- (not intrinsic) many interfaces only give you a few seconds to undo your action, which wouldn't help in this case

- (intrinsic) some events can be layered on top of your change, meaning that you have to either block the undo or reverse all the subsequent events too. This wouldn't be the case for this HTTPie incident, but does prevent UNDO functionality from being a silver bullet.

Undo. If it's possible, you want undo. If it's difficult, you still want undo. Only when you've satisfied yourself that it's outright impossible should you reluctantly design the UX with the "Are you sure?" prompt instead.

Also, if you must have I_WANT_CANCER type prompts, try to make them involve expressing what it is that the human is agreeing to, because sometimes it's only at that point the human realises their plan was very stupid. GitHub does that here (you have to type the name of the repo, to delete main_project you'll need to type main_project) but many things do not.

This is why I like Git's force-with-lease. When I try to forcibly overwrite the state, because I know Jim's push was wrong and must be undone, force-with-lease makes me express that, "--force-with-lease=jim-daft-change". And when in fact what I'm going to overwrite is Lisa's urgent bug fix, not Jim's erroneous change, the force-with-lease fails and to get it to apply this way I'd need to say "--force-with-lease=lisa-bug-fix" and that's one last opportunity to say "Wait, what? That's not what I want to do".

It sounds like you've never been part of an engineering organization (I know you have since you bring up unlimited budget ;)

It is obviously possible to design a much better, contextual warning with (more) relevant details highlighted. How much time is usually set aside for those?

And yet, it's never going to stop mistakes.

And how many other places like these are there in a large service like GitHub?

A much better way to fix this is to expect mistakes and make it possible to revert instead. Soft deletes can make that trivial to implement for the most part too (except in GDPR like cases where you've got to really remove stuff).

Even for GDPR stuff you can delay the hard delete for a day or so, which should give the user some time to notice and correct a mistake.
> The challenge screen does require typing in the repo name which is a pretty solid attention-getter.

This is not quite correct. In requires inputting the repo name. It's attention-getting the first time. But recently with some colleagues as part of a handoff we went through 50+ repos and archived the irrelevant ones. Very quickly the person doing the actual archiving went from typing to just copy-pasting the repo names. For programmers, copy-pasting from one spot to another can become very mechanical.

So I think this UI choice works well for something that is done very occasionally. But it's no better if people are in the habit. Whereas showing novel information about the cost of the choice would be helpful in breaking the routine. Then could then also make it so that they had to type something only when the operation has a high cost, and what they typed could be something not directly copy-pasteable.

That's fine. The goals of designing a sanity check prompt to snap people out of autopilot are entirely different from goals you might have in a security system— their being defeatable isn't even a flaw. Jersey barriers vs rumble strips.

If someone deliberately doing the same thing over-and-over can avoid the manual effort, that's fine. Their frustration would likely make them think about it less. You don't, and shouldn't get prompted to do the same thing using the API, either.

Yeah. A warning that can be pattern matched by a human brain, that is just a routine action, will result in autopilot behavior. Flipping early repo visibility is common, I assume. Flipping visibility of 100+ star repos is likely much less common. So having a separate warning in that case might help you snap out of autopilot due to novelty.

A common knee-jerk reaction to "users aren't taking our warnings seriously" is making the warning look more scary and involving more (mechanical) steps – such as two confirmations instead of one. Well, that's pattern matchable and subject to desensitization.

Like the article states, it's more efficient to instead show what you're about to remove, i.e. a summary of the content as opposed to an identifier, then you get both novelty and proportional scariness, depending on how "big" it is.

https://en.m.wikipedia.org/wiki/Alarm_fatigue

(comment deleted)
I am surprised so many people treat losing stars as "dangerous": I can certainly emphatize with the designer coming up with this pop-up while looking at a sample project with 12 stars.

Considering this project was out of ordinary in having 54k stars (article mentions being in top 80), they should not be surprised that their case is not top of mind.

Sure, it would be nice to highlight the most destructive of actions, but they already had to type out full project path as confirmation.

I do believe it would be better if Github allowed restoring data in the next few days (soft deletes ftw) once they hit this issue themselves in the past.

And Github support should have recognized that this project is a special, out of ordinary project, and afforded it some engineering time to restore everything.

> I am surprised so many people treat losing stars as "dangerous": I can certainly emphatize with the designer coming up with this pop-up while looking at a sample project with 12 stars.

Lots and lots of websites and companies use the number of stargazers as a strangely important metric for success, so losing them can be really bad.

Yeah, it's a different story when dealing with safety.

With industrial machines you have to assume people will do the dumbest thing possible. Because someone will find a way to get crushed in a moving part if they can.

You have safety fence after safety fence and regularly test that your lockouts work.

If you don't do all of this and someone dies you can face very harsh legal penalties.

We don't do this with software when the cost of failure is so much lower but we should still understand smart humans will make mistakes.

In software often the cost is paid by other people (your users) and you don't (want to) see them. How much did the Atlassian outage cost it's clients altogether? How much thereof will they need to compensate?
My favorite is "let's imprison people who make mistakes". It doesn't stop mistakes, it just covers them up.
People are imprisoned when they are a danger to others or at risk of flight. Their time in prison is meant to reform them and help them back into society. The community is protected from further "mistakes" from a person, while allowing the person to learn not to make the same mistake again.

At least that is the idea.

Some mistakes are accidents, some mistakes are made on purpose.

The latter needs some kind of consequence in place to offset the benefits from purposefully making said mistakes.

> My view is that expecting humans to stop making mistakes is much less effective than fixing the systems that amplify those mistakes into large, irreversible impacts.

This is applicable to almost any activity: "Sure he was driving drunk, but the car's manufacturer should have prevented that from causing any damage!" I agree that GitHub should improve the design here - privating a '10 star / 1 week old' repo shouldn't be treated the same as privating a '50k star / 10 year old' repo. I don't mean to diminish the fact that GitHub's UI should be improved here.

But the author needs to take some responsibility and realize they were ""driving distracted"", and not act like GitHub is 100% at fault here. Just because GitHub didn't act perfectly doesn't mean the author didn't make any mistakes.

Neither the author, nor anybody that I can see here, is saying that the author didn't make any mistakes.

But what you are saying is that marginal effort to prevent mistakes is not worthwhile.

Cars, to take your example, would not be as safe as they are today if they followed the principles you've shown in this post and the grandparent. And yes, even when driving drunk, which is illegal, is safer too - stay in lane, adaptive cruise control, automatic braking, etc. have all incrementally made even extremely ill-advised behaviours safer.

This idea - fixing systems that amplify mistakes into large, irreversible impacts-- is why I am against alcohol, marijuana and other mental-state altering drugs for recreational purposes. (I'm not talking about people who really need pain relief from cancer, amphetamines for ADHD, etc.)

If no one in the world drank, smoked pot, or did drugs, how much better off would we all be? 100,000 deaths come from alcohol use every year in the United States alone[1]. That doesn't even account for countless cases of abuse, broken families, crime, and other negative effects of alcohol and drugs.

So many people say "oh well it's fine if I do it, I'm responsible" but then at some point someone isn't fine and isn't as responsible as they think they are.

[1] https://www.cdc.gov/alcohol/features/excessive-alcohol-death....

(comment deleted)
> If no one in the world drank, smoked pot, or did drugs, how much better off would we all be?

Perhaps that's true for your definition of "better off", which is perfectly fine, but it isn't universal. Even though I don't do drugs, I don't think it should be anyone's business to police what other people do with their minds and their bodies on their own time, as long as they don't pose a threat to anyone else.

I'm scared to see what your sanitized world would look like. Some of the most interesting art, music, and personal perspective has come from the consumption of the substances you deride as unnecessary and destructive.
How much art, science and deep, personal perspectives were lost due to abuse and death stemming from substance abuse? In case of certain substances (like alcohol) we have rather hard statistics about it's overal impact on physical and mental condition of society. Slow change from alcohol to safer alternatives (ex. cannabis) is probably one of the best trends in current times.
How many lives were saved or changed for the 'better' through the escape of, enjoyment of or numbing with drugs and alcohol? Who knows?

Perhaps if we think more like adults instead of infants we can try to understand complex issues better instead of reinforcing black and white stereotypes of the world or rehashing whatever our favourite source of ignorance tells us.

An interesting thought experiment - how many of us would be here at all if not for alcohol? Ignoring butterfly effect aspects, the number of people who were only conceived due to decisions made under the influence of drugs would surely be very large even today, let alone prior to the availability of birth control.
I think that do-gooders who have a "Great New Idea" for how to make society better are 1000x more dangerous than any type of drug ever invented. People drunk on alcohol mostly fall asleep harmlessly. People drunk on power and how awesome their own ideas are launch prison-industrial complexes, dystopian enforcement schemes, wars, genocides, etc.

It may be an even worse drug. People on drugs mostly have some awareness that their ideas aren't very good. But for those drunk on power, the fact that their same great idea has already been tried and led to total disaster is no cause for concern at all. You see, they're obviously smarter and better than the last batch of power-addicts who tried that, so they'll do it right this time. Heaven help us if we ever discovered a chemical intoxicant that was capable of making people that deluded.

You haven't really thought this through.

One, those substances are fine for a lot of people.

Two, some of those substances are fine for most anybody. I've never even heard of a deadly marijuana overdose, and the evidence shows no increase in mortality for marijuana users.

Three, we already tried alcohol prohibition, and we are currently trying drug prohibition. It does not solve he problem you care about, while creating other large problems.

So really, you sound like somebody who has a personal hobbyhorse and uses pretty much anything (like say, losing stars on GitHub or mentioning a book on airplane safety investigations) to argue for it. And that sort of motivated reasoning around argument for societal change strikes me as way more dangerous than somebody eating a THC edible.

Is that book still worth to spend time reading if I do understand what you are saying and I hold the same views? I'm always hungry to learn something useful from books, but more often than not I find these hyped books ("The Checklist Manifesto" comes to mind) really annoying in that they make me spend a significant amount of time reading stupid "curious life stories" to bring across a point that can be expressed in a 3 word sentence, like "checklists are good". And it's even worse when these are trivial truths most sane people would agree on, which doesn't make the "advice" more actionable, because it's just much easier said than done.

I mean, it would be disappointing to read it to find it summarizes exactly to what you just said.

It's an incredibly rich book. I learned a ton from it. Indeed, I avoided summarizing it here precisely because it's hard to sum up.
From the product's perspective speaking in aggregate, that is entirely correct.

From an individual user's perspective, you still need own your shit and avoid making these mistakes. You can't rely on everything you use having smart safeguards.

There will always be dumb/careless users that a product should consider. There will always be suboptimal UI (we could've just as easily been talking about CLI database tools) that a user should watch out for

But still, I also share the opinion that GitHub's UX for dangerous actions on a repository is currently already best in class, so blaming them for your mistakes is pretty unfair. To make your repo private, you have to:

- click "change visibility" in the "Danger Zone" area of the settings.

- select "make private" with an additional warning shown that you will lose all stars and watchers. Ok, maybe it should mention how many.

- type the name of the repo into a box and then click "I understand, change repo visibility".

And yes, sometimes it is important to expect humans to not make mistakes. For example, at railway crossings. Even if you drove over it 100 times and no train came, the 101th time you may still die if you don't check for a train before crossing.

> And yes, sometimes it is important to expect humans to not make mistakes. For example, at railway crossings. Even if you drove over it 100 times and no train came, the 101th time you may still die if you don't check for a train before crossing.

For somebody going through a railway crossing, yes, they shouldn't allow themselves to be prone any mistakes there. However, for the people involved in the construction of the railway crossing, they should certainly expect everyone to screw up and scrutinize the safety. We don't want to leave anything affecting livelihoods to chance.

"On average, each year around 400 people in the European Union and over 300 in the United States are killed in level crossing accidents."

https://en.wikipedia.org/wiki/Level_crossing#Safety

(comment deleted)
That's why a level crossing has a barrier that's only there when a train is approaching. Imagine the barrier was always there; that would be asking for people to ignore it.
So, displaying an additional or more explicit warning that mentions stars and watchers makes sense. No arguing, hope they do that. But to me also, it left a little bit of a bad aftertaste that the author completely skips over the part of that process where you have to enter the repository name right where they show the two screenshots side by side.

Anecdotal: You have to enter the full name for a couple destructive actions on GitHub, and every time I had to do it was so jarring to me that I stopped everything, rechecked what I'm doing twice, started wondering if I might be dreaming, am on drugs or a voice in my head is telling me to do something dumb. Like, yes we should improve nonetheless, and I usually try to put myself into other people's shoes before judging them, but this is just one of the few times where I just can't help but, you know, think it was somewhat dumb to make this mistake with the current system in place. Like, next time we have this stars and watchers warning in place and still someone will manage to proceed on autopilot, what do we do next? Have a siren sound go off in addition? Have the user enable their mic and spell out the repo name? Send a written letter to GitHub? You'll never get the error rate to 0, at which point would you rather accept people making mistakes and calling them out on it than adding more inconvenience on top that just bothers everybody else?

Most people in this thread seem to be ignoring another very major cause: the inconsistent naming for personal READMEs between users and organizations. Users have their README at username/username, but orgs have it at orgname/.github

Nothing else on GitHub is like this: orgs and users are treated as the same class of entity pretty much all the time. I could easily see myself making the same mistake on autopilot.

They have a bunch of differences under the hood, particularly when you want to give perms. It makes sense, sort of, on its face, that a user can’t have teams, but why? That decision is pretty arbitrary, to me. Then in GHE, users and orgs have all sorts of fun differences when you consider things like internal/public/private and how people can interact with them; to wit, if you’re in ANY team you can see ANY internal repo in an org, but if you’re limited to just personal repos, you can see no such things.
(comment deleted)
It's not about whether human can make a mistake or not. It's about how much effort should be made to prevent a certain type of human mistakes.

If every system we're interacting daily should be fool-proof, it will requires enormous time and effort. Naturally, we invests more time and effort when it's about life and death situation. If we only lose 2 cents by our mistake, we just don't care.

Of course, I'd like to have more fool-proof design in all the destructive interactions from all websites. But, the question is, does it worth it?

> I specifically dislike the "Lessons" section, as it throws all the blame on github and doesn't mention the seemingly obvious advice: "make sure you're not on autopilot when taking potentially dangerous actions, on github or any website".

I don't know. Github employees themselves have made this mistake as outlined in the post, and they were easily able to recover from it, which probably lowered the priority on changing any UX.

Essentially, it's a complete non-issue depending on whether Github cares about you.

Would you like the police in your area to behave in this manner? I think not.

Idk about "easily", but I'm sure they were motivated. If you've ever tried to restore parts of a database in a piecemeal fashion, it is usually fairly labor intensive. But you would hope there are a few gh engineers who would be motivated to do so without manager approval in the dead of night because httpie is great.
> But you would hope there are a few gh engineers who would be motivated to do so without manager approval in the dead of night because httpie is great

On the other hand, you should really, really, really hope that GitHub has internal guardrails to prevent their engineers making cowboy edits to the production databases without manager approval.

Haven't worked there, but I assume one engineer just needs one other engineer to approve their PR. I would be pretty surprised if it was more robust that that.
I haven't worked at GitHub either, but I did work at AWS, where a change to a production database required filing a detailed CM (change management form) with step-by-step details of the operations to be completed + monitoring criteria + rollback plans. That CM had to be approved by the senior eng staff of all affected teams, plus the full management chain, and in a high-profile issue like this, the PR/comms teams as well.
> Essentially, it's a complete non-issue depending on whether Github cares about you. Would you like the police in your area to behave in this manner? I think not.

Obviously it would be nice to see A similar response from GitHub regardless of whether the issue at hand is affecting themselves versus a member of their community. But, as long as humans are making the decisions, that’s probably a pipe dream. And honestly, policing could very well be the standard example of this.

Sure, I understand that. But I think, as a designer, I can't really control the actions of my users. I can only try to design such that I can get them closer to the action they want to take. From that perspective, I think adding the additional information to the warning UI would, if not solve the problem, at least get us one step closer to helping the user make the right decision.

Tbh, when I've deleted repo's, I've mostly just copied the repo name and pasted it in the box. Careless of me? Definitely. Can GitHub change that carelessness? Probably not. Will a box that says "Stars: 54k" help? I think it'd help me, at the very least.

In addition to typing the repo name, maybe they should make you check a box for each type of item that will be deleted:

    [ ] Delete 54,000 stars?
    [ ] Delete 8,000 watchers?
    [ ] etc
Or just, you know, not delete anything until otherwise asked to. None of tha has anything essential to do with making the thing private.
Is the repo is private then it’s impossible for anyone to “follow” by starring or watching.

There’s also an issue of taking a repo private, making changes when no one gets alerted, and making it public to make it harder for people to know what’s going on.

> There’s also an issue of taking a repo private, making changes when no one gets alerted, and making it public to make it harder for people to know what’s going on.

They could always notify watchers about the repo being made private.

And, importantly, don't show an item if it has zero items in it.
How many years have we had to learn from people using programs to know that people make mistakes. Goodness knows how many people burned themselves using "rm". For that reason alone, "rm" is a bad tool, and should be replaced with something like trash-cli.
that would break billions of scripts and confuse the hell out of hundreds of thousands or millions of users. Especially seems unnecessary since most distros ship an alias that makes the default `rm` command run with the `-I` or `-i` command.
Of course it is here with us to stay. The point is that if the initial design was different, there would be fewer headaches. We certainly have the power moving forward. And as discussed in the article, a prompt is not enough to deter a user doing something other than what they think they are doing.
> Especially seems unnecessary since most distros ship an alias that makes the default `rm` command run with the `-I` or `-i` command.

I would say that makes things even worse. Because it's just training you to rely on -i/I as a sensible default. One day, you'll encounter that one distro that doesn't have that, and it'll be the time where you really wish it were.

Hmm, interesting point. I removed that alias early personally in favor of giving due respect to rm (especially with a `-r`!), which is probably an indicator in your favor.
I alias rm to `echo ‘use trash’`, and then use /bin/rm when it’s what I really want.
>Especially seems unnecessary

An option that shows a y/n action. That's what GitHub does when you're about to make private/delete a repo (even more asking you to type out its entire name) and yet here we're.

(comment deleted)
Yeah, but on the other hand, "don't make mistakes" isn't a meaningful or useful lesson.
Don't make this specific mistake is a very meaningful and useful lesson.
Yes. But without the possibility to undo mistakes you'll stand in ruins before you learned enough lessons.

"Just don't make any mistakes" is the worst stance one can have in this context, it denies reality and only assures you're unprepared when (not if) something important goes wrong.

I would argue that the fact that GitHub themselves made the same error really tells us that yes the UI makes it way to easy to do this. Considering the number of repos on GitHub I wouldn't be surprised if someone made the same error every a couple of weeks (but typically not with such high stakes).

I would also say that post does not come across to me as he is only blaming GitHub.

On typing out the name of the resource, it is of course a way better check than just displaying it. I think it also was very efficient when there was only a few places using it, and the novelty made it attention focusing.

Thing is, we type all day, and can type pretty much any string at a decent speed without putting much thought into it.

Any of us must have mistakenly typed a full file path or API URL, just to realize it’s not the right machine or project after having typed it all. It just take 2 or 3s max after all.

I think it becomes an arms race to get attention on important things, we can do better by focusing more on every single destructive operation. We can also avoid having too similar interfaces for completely different contexts.

It's also worth mentioning that the name of the resource here was confusing - the author mentions that this happened because he mixed up how GitHub names profile READMEs for organizations vs users.
Data privacy laws like GDPR probably require them to fully hard delete when a user asks for something to be deleted. So any undo functionality would need to make sure it's compliant in every region that could have a privacy law. I'm not sure how realistic it would be to ask companies like Github to jump through all those hoops because people refused to read (and then blindly typed stuff out).
Interesting idea but what PII is stored with stars?
I'm pretty sure GDPR doesn't say everything must be wiped instantly but instead within a reasonable time period. One that's certainly enough to undo such actions.
> I specifically dislike the "Lessons" section, as it throws all the blame on github and doesn't mention the seemingly obvious advice: "make sure you're not on autopilot when taking potentially dangerous actions, on github or any website".

First of all, this is self-evident. But second of all and more importantly: it doesn’t scale.

The reason we have blame-free postmortems is because people will always make mistakes, so we find ways to change process or design to minimize those mistakes.

If you think you’ll never do something on autopilot, you’re fooling yourself.

It’s not a “blame free postmortem” though. The author is blaming GitHub for not sending him a handwritten letter from the CEO inviting him not to do the stupid thing he positively affirmed he wanted to do.

The author also neglects to mention he had to type the full project name into a dialog box, which would be critical to any real postmortem. If typing the repo name into GitHub didn’t wake him up, why should we believe listing the number of stars would? The author said he thought he was in a different repo, but that makes no sense.

The real lesson, imo, is for people obsessed with stars to set up permissions, use dedicated accounts, and not toy around with settings you know are dangerous before you’ve had your coffee.

That’s a lot more reasonable than GitHub spending time to implement yet another warning box feature that the author has proved they can ignore regardless of how obvious GitHub makes it.

The author is blaming GitHub for not sending him a handwritten letter from the CEO inviting him not to do the stupid thing he positively affirmed he wanted to do.

Please, quote from the article where you read this. I don't see it.

In the article I read, the author admits fault:

> I accidentally made the project’s repository private for a moment.

The author goes on to explain how they made the mistake.

> What put me on the wrong path was an otherwise completely unrelated action: I had just done the same (i.e., hidden an empty README) on my personal profile by making jakubroztocil/jakubroztocil private.

> GitHub’s conceptual model treats users and organizations as very similar entities when it comes to profiles and repos. In this context, and since I just wanted to repeat the same benign action on our organization’s profile, my brain switched to auto-pilot mode.

> I didn’t realize at the moment there’s an inconsistency in the naming of this special repo containing profile READMEs and that it differs for users and organizations: name/name vs. name/.github.

> That’s why I proceeded to make httpie/httpie private instead of httpie/.github without realizing my mistake.

The author does not attempt to hide or misrepresent the GitHub UI that requires confirmation. They show it for both "httpie/httpie" and "httpie/.github".

It does not matter that you have to type the repo name, because once you are on auto-pilot, you proceed past this step. In fact, the author doesn't admit it, but if he's like me, I'll bet they copy/pasted the name. Because the name alone is not sufficient.

The author then goes on to suggest what might have kicked him out of auto-pilot. Providing more information about the repo other than just its name. The name alone is NOT sufficient. And they author shows some example UIs from their own software.

Your suggestion: "The real lesson, imo, is for people obsessed with stars to set up permissions, use dedicated accounts, and not toy around with settings you know are dangerous before you’ve had your coffee."

This simply does not scale. It would require everyone to learn the same lesson for themselves.

I've been a sys admin and developer for over 25 years. People make mistakes. They make them all the time. Putting context-free (or minimal context in the case of the GitHub UI) "Are you sure?" dialogs in front of them does nothing to prevent mistakes.

All the author is asking for is a bit more context from the GitHub UI to help the user realize the significance of their action. This would help future GitHub users to avoid the same error.

Having to also type out the number of stars you're deleting when it's above some threshold would probably eliminate the error. I think people who use git a lot are used to having the same or similar repository names in multiple contexts and locations (it's decentralised), so typing out the repository name, even though it includes the user/organisation, is not as severe-seeming as the designers thought. Confirming the consequences seems better than confirming the command.
I think of the burden on the typical use case and think the current prompts should be sufficient.

What’s the star threshold? 1000? 5?

I’d hate to now have to type in the number of watchers and stars as part of the private/delete/move/etc prompt for all the times I know what I’m doing.

It’s a balance between punishing the non-stupid users vs protecting the stupid users. And people switch between these categories. I might be non-stupid today and stupid tomorrow.

> make sure you're not on autopilot when taking potentially dangerous actions

When it comes to repetitive or familiar actions, this is physically impossible. If a repeated action is dangerous you cannot use a human interrupting themselves as your only control. It just won't happen.

Overall this is a classic UI design failure. In addition to the "people physically can't take themselves off autopilot" problem, the interface destroys the user's data without providing a way to get it back. It would take relatively little engineering effort to make this reversible.

"The user shouldn't be stupid" - which is what you're saying sounds like to my ears - is not an approach that scales well.

Mistakes happen. It's better to have a really good Undo than a lot of confirmation dialogs.

If your whole job is to use power-tools, the fact of using power-tools by itself — scary to some — becomes benign for you. `rm -rf` isn't scary to type if you e.g. write CI scripts intended to run in sandboxes all day. Deleting a repo isn't scary if you delete a lot of pointless repos.

A prompt that pops up to warn you that you're doing something potentially dangerous, when you know that what you're doing is benign, is a prompt that's crying wolf. You'll learn to tune it out.

This is a good point and reminds me a story of many years ago when someone accidentally ran “rm -rf” on an important directory and caused a lot of work.

A well-intentioned PM then thought the fix was to alias rm and add prompts to confirm. They had a whole project to add this alias everywhere.

First it broke existing scripts all over the place. So they fixed them to auto apply the confirmation.

Cut to a few months later and someone rm-rf’d something again, ignoring the prompt (or maybe auto applying it).

So the PM wanted a better message and a second prompt.

People are well intentioned but I’ve seen this path of stupidity that doesn’t solve the problem but is an activity in response to a problem.

Yeah, aliases for "rm" to "rm -i" I find are especially counter productive in this regard, as it conditions people to type rm -f after they get spammed to approve several hundred files while trying to delete a git checkout or node modules too many times.
> make sure you're not on autopilot when taking potentially dangerous actions

If they're in autopilot, how are they going to "make sure"?

Everyone has been in this spot several times. Those who didn't are just lucky.

There's got to be external contingencies to protect people when they're in autopilot.

(comment deleted)
I disagree because there is no UI to indicate you're in a special repo. And I blame GH for not considering this "large project maintainer" use-case.

When I administered many VAX / UNIX machines waaay back, the terminals were all configured to be 'special' for the super user. It would have been HORRIFICALLY BAD if any command were executed unknowingly.

GH does -not- distinguish for project sizes, so there is NO SUPPORT for its users in this way. Every feature is to be considered with the same "shotgun severity".

The problem is that this “seemingly obvious advice” is completely useless because it’s not actionable. It’s similar to saying “to avoid the mistake, just don’t make the mistake”

To make a better system for every human, you can either try changing all the humans, or you can change the system that is supposed to serve them. One is easier than the other.

I recommend reading “the design of every day things”, it talks about this exact attitude and why it’s terrible.
Agreed, and I'm genuinely surprised that so many on HN are angry at GitHub when they already made it so hard to do this. The author explicitly mentions they were on autopilot - it would take a significantly more challenging barrier for them to not do the exact same thing no matter how many prompts GitHub put there. It does make sense for it to be more reversible, but I can also understand why GitHub doesn't want to put in the effort: this is a once in a year kind of incident and the resources required wouldn't be worth it compared to signal boosting, like they did on twitter. I, for one, would be extremely pissed if GitHub made it harder for me to do routine actions because there's a possibility of data loss. I signed up for that when I typed the repository name in.
I intentionally did this very recently for a whole bunch of old repos (mainly because a Github bot decided to start emailing me weekly about vulnerabilities in stuff that has been untouched for nearly a decade) and was mildly annoyed at how inconvenient it was to make them private. I would have said the warnings are unnecessary overkill.

It's quite amusing to read this so soon after.

Same here - not too long ago I had to take a bunch of repositories private, and while I appreciated the prompt (I've dealt with destructive actions that have even less of a barrier before, and that sucks) it still was annoying to do that again and again.
The point the author makes is not that it should be more tedious to make private: they in fact suggest making it as tedious as it is only when you are on a new, non-massively-starred repository. Right now it is only tedious and not sufficiently alarming, is what people are saying.
Also sudo mode, right? They had to authenticate to the whole website again too, before doing this!
Agreed, the swipe at Microsoft (with links he saved from who knows when!) was especially gratuitous. He mad. Don't write something public when bitter should be a lesson right after don't be on autopilot.
GitHub probably should show the stars in the warning UI

In this particular case the stars would have been a useful clue, but in the majority of similar cases the wouldn't be any stars. It would be a useless and redundant signal.

Number of forks, maybe? Or pull requests? Although those wouldn't disappear of course...
It would be very rare to have lived through an IT career and not make one or two fatal autopilot mistakes. In the 90s and early 00s it was very easy to lose a production system because you did something wrong that you did 1000x times right before. And this is a modern version of it; for me, this should not happen; if I designed GitHub, these people giving stars and watch would get selected based on the visibility of the profile. That hardly costs anything and then the user can just switch between visible and invisible at will and not lose anything. But I have made many similar mistakes in the past which is why I don’t delete stuff usually anymore; I just flag it deleted and gdpr material I encrypt. I simply don’t want either software bugs, hacks or human error to cause any damage. With the cost of storage and the fact that I work only in b2b, this comes at virtually no cost but with a lot of happiness for both our users and myself.
I feel for the guy and what he says about user interfaces is all true, but the tone of the piece grates on me a little.

“I take responsibility, but…” is not “I take responsibility.”

> the author had to _type out_ the name of the repo they wanted deleted

Where does it say that they deleted any repo?

> obvious advice: "make sure you're not on autopilot

That... isn't how "autopilot" (or humans in general) work(s).

The author explicitly admits "my brain switched to auto-pilot mode." The problem with that is that we're on auto-pilot many times and we realize we're doing it only after something bad happens. The UX should prevent auto-pilot to do harm to us (and possibly to the customer/company relationship.) "You're about to delete 55k stars" should be enough, as the author suggested. But designers can be on auto-pilot too.
> But designers can be on auto-pilot too. You're blaming some people without any basis.
Tbh, it doesn’s look like the wrong repo name if you want to make your organisation README private. I agree with the author that the discrepancy between user and organisation profiles doesn’t help here. If every user/organisation could make a .github repo instead it would be much more obvious.
Yes, and as Don Norman puts it, Design is mostly on how to make errors non-catastrophic. No design nor training ever will abolish them.

Humans err.

> the author had to _type out_ the name of the repo

I copy/paste the repo name every time I delete a repo on GitHub. Yeah, it’s still a minor impediment, but it’s definitely not “TYPE the account and repo name.”

> make sure you're not on autopilot when taking potentially dangerous actions

Humans will be humans, we can't help it.

Structures or systems that handle large amounts of user interactions should predict such use cases and design accordingly. a.k.a make them "idiot proof".

> "make sure you're not on autopilot when taking potentially dangerous actions, on github or any website".

Have the advertisements/sign-up/GDPR pop-ups trained us to 'engage autopilot to dismiss the pop-up' as soon as possible irrespective of its importance?

I ran into this in pgAdmin recently. When right-clicking on a server, the options to disconnect the server and remove the server are right next to each other. Clicking disconnect presents you with the following dialog box:

"Are you sure you want to disconnect the server? No / Yes"

Click remove presents you with the following dialog box:

"Are you sure you want to remove the server? No / Yes"

Good luck! I mean, it's not a super huge deal to recreate the server entry, but still annoying when you're in the middle of something and just realized what you did.

Honestly, just replacing the "Yes" button with the action being taken would be enough to improve this. "No / Disconnect" and "No / Remove". But my personal opinion is that disconnecting is not a destructive action unless there's an open transaction or running query. So the dialog box should be contextual on that scenario, and otherwise it should just disconnect.

"Disconnecting will cancel executing queries and rollback open transactions. Continue? No / Disconnect"

Would you consider submitting a patch?
Actually, I should. The biggest hold up will probably be translations though, unless they have that already translated.
> just replacing the "Yes" button

Or the lazy web dialog popup with "Cancel" and "OK".

So you click on "Cancel Glorping The Frobnitz" and up pops a dialog with "Cancel" and "OK". It always takes a moments thought does the "Cancel" on the popup mean cancel the cancel glorping or cancel the cancel.

Since it takes literally seconds to change the button captions it might be nice to think of something clearer. Seconds if you're a UI expert which I'm not. Of course the webdev part of changing the captions on the page really would be seconds for me to do.

> mean cancel the cancel glorping or cancel the cancel.

Typing error, it should be

> mean cancel the glorping or cancel the cancel.

(comment deleted)
> While the author clearly feels bad about the fact that they've lost his community and that GitHub couldn't restore it (which is honestly what any of us would've felt under similar circumstances), they're also focusing towards the future and using their personal experience as a parable all of us can learn from.

Also, writing a solid blog post about a customer-service corner case and getting it to the top of news.ycombinator can be a great, if somewhat last-ditch, opportunity to escalate a problem.

> I assume that the cascading done on GitHub would be done on a FK constraint

GitHub doesn’t use foreign keys, the cascade delete must have been manually implemented.

https://news.ycombinator.com/item?id=21486494

That it took a half hour to do all the pointless activity says something.
They use Rails, right? It's probably a cascade delete but done on the application, Rails makes that very easy.
I’ve adopted a pattern of:

<dialog-text>

If they click ok:

Asking again to be sure you want to destroy masses of data

<dialog-text>

But even that fails if there is a language barrier.

> But even that fails if there is a language barrier.

Surely GitHub is localized? (and if not, why the hell not?)

I recall that GitHub used to be localised in several languages, but no more. And I can’t seem to find any references to it anymore, either. “GitHub interface translation” gives search results about code, not about GitHub’s interface
> Lesson 2, which was to use soft deletes, is something I have more thoughts about. I assume that the cascading done on GitHub would be done on a FK constraint, but I'm not really sure how you'd do a "cascading soft delete" without making some kind of manual cascading logic

Relying on database cascade deletions is very dangerous. Especially since as the application/org grows, it's easy to lose track of all the things that may get cascaded. There's a good chance you'll find yourself having cascade-deleted data that you never intended to have deleted.

Manually implementing logic for "when archiving X, also archive Y and Z" takes more effort, but is a lot safer. When it comes to data.

What surprised me most is that github performs irreversible deletions when someone making a repository private. I would have expected them to just create a "is_deleted" column and set that flag to true. I wonder how much of this behavior is motivated by GDPR. Ie, complying with it requires completely deleting data when requested by the user, and they decided the most straight forward way to comply with that requirement is to delete the data immediately when requested.

> I assume that the cascading done on GitHub would be done on a FK constraint, but I'm not really sure how you'd do a "cascading soft delete" without making some kind of manual cascading logic?

I'm not at a terminal, so I can't check it out, but could you make a compound foreign key with the soft delete column and use the on update cascade? Something like `alter table stars add foreign key (repo_id, is_deleted) references repos (id, is_deleted) on update cascade;`

> I assume that the cascading done on GitHub would be done on a FK constraint, but I'm not really sure how you'd do a "cascading soft delete" without making some kind of manual cascading logic?

Couldn't you just use an on delete trigger for this? I have no experience one the subject however

An ON UPDATE trigger for the is_deleted column would do.

Some databases also support INSTEAD OF triggers.

Doesn't ON UPDATE only work for foreign keys? As far as I know, it's used to update the foreign key itself, and not values based on relationships.
(comment deleted)
Github is built with MVC. On rails no less. Where problems like soft delete are hard, or even impossible to solve (in scale).

Yet there are many architectures beside MVC. Many of them decades old. Proven. Established. Yet unknown to devs who picked up a rails book on day 1 and never looked back (I've been guilty of that for years).

This particular problem is a textbook candidate for Command Pattern. The problem of undo is solved naturally in any event-sourced setup (git is even sourced, and moving through history a prime feature). Probably more architectures that I'm less familiar with, solve 'undo' as well.

But we are stuck with the web, backends in 2022, being built on MVC frameworks like Rails, where solving such issues is tough and complex. So we are stuck with a huge amount of warning dialogs to 'solve' this.

Point being: choose your architecture well, based on your needs and the tradeoffs. Don't just grab the next fancy framework, because that will decide for you, if, and how you solve things like 'soft delete' or 'undo'.

I don't see why you are thinking it's hard with rails, you just create a default scope in your model "not_deleted", and that's done.

It will apply to all queries unless you specifically call " unscoped"

1. Why would it be particularly difficult for them to have soft deletes in Rails or at scale?

2. Like the article suggests, additional UX improvements could be made besides making it possible to restore a backup or providing an undo action.

3. I feel you are ignoring the fact that technology-wise it was probably Rails along with its MVC model that got them into their scale in the first place.

4. Had they focused on a more exotic architecture from day one, the UX of other features on the site could've been significantly worse.

> 1. Why would it be particularly difficult for them to have soft deletes in Rails or at scale?

I don't know the internals of Github. But we had soft-delete dragging down our database. Indexing, for one, becomes tough.

It also presumes everything lives in a single, canonical, transactional database. In real life, anything of scale, with legacy lives in multiple services. There'll be caches, search-indexes (elastic etc), data-lakes, leader/follower clusters and whatnot. Propagating a "delete" command is no easier or harder in such a setup, than propagating a "flag" which has severe business and security implications.

2. Like the article suggests, additional UX improvements could be made besides making it possible to restore a backup or providing an undo action.

Yup. My point was that with e.g. Event-sourced or Command pattern, you don't even need that whole UI in the first place. There could be a 20 minute "undo" somewhere. Or an "undo" that remains active untill another non-compatible command renders undoing unavailable. This is a common pattern. Which was invented decades ago, and is still used everywhere to solve this exact problem.

Why invent dialogs, soft-deletes, etc, when the problem is solved, done and non-existent, given you make the right choices? Why do software engineers insist on re-inventing wheels every few years rather than grab existing, proven and solid solutions for this?¹

3. I feel you are ignoring the fact that technology-wise it was probably Rails along with its MVC model that got them into their scale in the first place.

Why do you feel this? Rails comes with tradeoffs. I'm not saying "rails was a bad choice" But I'm saying "the choice for Rails brings the tradeoffs that e.g. Undo is hard".

Saying that "it is easy in Rails" is both disingenuous and unfair: there are hundreds of Gems, some of which grown to enormous project almost the size of entire ActiveRecord itself, to tackle these problems: it isn't easy. Papertrail, for example is a magnificent monster. "just drop in papertrail" really is not a solution, it's a problem.

> 4. Had they focused on a more exotic architecture from day one, the UX of other features on the site could've been significantly worse.

I.e. "tradeoffs".

¹ The answer, I'm afraid, is a mix of the doubling-of-developers-every-four-years (forever september), NIH, and unwillingness to invest time in learning the foundations layed out in the past decades. The last is what bothers me most.

> Why do software engineers insist on re-inventing wheels every few years rather than grab existing, proven and solid solutions for this?¹

For one thing, because it works very well and is much easier to wrap your head around than the command pattern (much less undoing a command, and keeping track of which commands make incompatible changes).

These things are worth the effort if you are going to build an app that will be around for ten years and serve an existing market. Much harder to justify if you are still figuring out what you actually need to do.

Like, I agree with you that most developers just don’t know about it yet, and therefore don’t use it, but that’s also a factor of MVC just being the right choice for 90% of all apps, and easier to get started with.

I'm in the process of creating an MVC framework and was curious about the other architectures you mentioned.

This comment seems to be down on MVC and Rails so I was curious about the alternatives you mentioned and came across your post that ended with praise of Rails ( https://berk.es/2022/03/08/the-waning-of-ruby-and-rails/ ):

> Rails still is a great way to get a prototype demo, or minimum viable product online in days with least surprises.

Your comment seems to indicate that you started discovering new architectures like the Command Pattern but it sounds like you are also still a proponent of Rails and MVC based on your blog post. Do you have any links to resources that helped you discover other patterns or could you share what took you on your journey?

In the Rails blog post, you said:

> I have a separate post planned on "RAD web frameworks", MVC and ActiveRecord, but it is safe to say that such frameworks, amongst which Rails, have found their niche, yet are by no means a silver bullet.

Is that post you are planning to write going to delve into some of the architectures you mentioned here? That would definitely be something I would be interested in reading.

I'd suggest going through all Uncle Bob Martin[1]s talks on clean code.

He has a great article (2014), old, on why you may not want to build that framework at all[2] too:

> Using a framework requires a significant commitment. By accepting the framework into your code, you surrender your control over the details that the framework manages. [...] > And yet despite the huge commitment you’ve made to the framework, the framework has made no reciprocal commitment to you at all. That framework is free to evolve in any direction that pleases its author.

Another great source are the books, and/or youtube channel by Dave Farley[3]

What set me on a journey is -decades ago- the pain I, as a developer felt when developing web-applications for my clients. But worse: the pain they felt for getting delivered crap. "Why am I delivering crap" was the question that set me to research frameworks, languages, design patterns and architecture. Drupal, Rails, Django, ASP: I've worked with it, and delivered crap with it.

In general, I found that a framework matters. e.g. the simple act of reading ActiveRecord Critisism on wikipedia[4] got me thingking:

> also due to the strong coupling of database interaction and application logic,

This was true for project D, G and Y! This was why we failed to iterate at any speed at all. Because I can relate it immediate to Real And Actual Problems, Failed Projects, Slipped Deadlines, Burned out colleagues, and so on, all of wich I encountered during my career. Not saying all those problems were caused by ActiveRecord or Rails! But that they were caused by the choice for the wrong framework. Or the choice for a framework at all.

It led me to DDD[5], which then is the gateway into all sorts of Enterprise Patterns. I dislike that name, because the connotation is all wrong. Especially the subtitle of the canonical book on DDD struck a note:

> Tackling Complexity in the Heart of Software

This! This is why I'm delivering crap: I fail to tackle the complexity that inherit in any domain. In e.g. Rails, I would just spread it all over the place, fighting against ActiveRecord and Rails, yet still failing to isolate, modularize and capture that domain.

So I no longer use Rails, nor any framework in my startup. I occasionally do some freelance gigs, often Rails. And the more I learned how to Tackle Complexity in the Heart of Software through choices and tradeoffs, the more I see why a project in Rails that I'm flewn in to salvage, is doomed. It's the choice for Rails. Not lacking of services, not "Fat Models", not "missing tests" nor missing of any sort of "rigorous refactoring" Its Rails! Rails is just unfit for this domain, this problem, this customer.

Yet Rails shines for others: I restate: It's brilliant for simple CRUD. But anything you expect to have any sort of "Complexity in the heart" is probably unfit.

[1] https://www.youtube.com/channel/UCCfqyGl3nq_V0bo64CjZh8g

[2] https://blog.cleancoder.com/uncle-bob/2014/05/11/FrameworkBo...

[3] https://www.youtube.com/channel/UCCfqyGl3nq_V0bo64CjZh8g (his books are promoted on this channel)

[4] https://en.wikipedia.org/wiki/Active_record_pattern#Criticis...

[5] https://martinfowler.com/bliki/DomainDrivenDesign.html

Thanks for the detailed breakdown! This is really helpful and exactly the kind of information I was hoping you would share.
https://github.com/rubysherpas/paranoia is enough to solve problems at very large scales.

There is nothing about Rails or MVC preventing someone from doing this. This is a very common design principle for all kind of ERP and BPM systems: don't ever delete anything.

First: soft-delete really doesn't need a library. Paranoia is nice, but almost all of the code and complexity in that gem is to support multiple versions of rails and to let you configure that gem.

DIY in this case really is very simple. And far more flexible, performant even, and future-proof.

(I've worked on a project where two full-time devs spent days upgrading this gem; this is over 6 years ago). And a few months ago, I worked on a project where they had more code to configure, patch and work around paranoia, than any DIY ever did. My even simpler DIY version not only used 50% of the code we had to override the gem before, it allowed for some custom work that we could not do before.

And no: even DIY ain't as simple as you make it seem. Practical issue, that I encountered last year even, was where their "soft delete" was making state-machines very tough. Because in a FSM, "deleted" wants to be state, like anything else. But the "generic soft-delete" conflicts with that. So the project had both. And some fugly glue-code to sync between the FSM and the soft-delete and vice-versa. No suprise that this broke occasionally, making data re-available that people thought gone.

(comment deleted)
He did have to type "httpie/httpie" in the box to confirm, no? I'm rather surprised that that didn't snap him out of auto-pilot mode. There ought to have been a DING in the brain seeing that the repo this is being applied to was httpie/httpie?

OTOH, I haven't been in such a mode, so I really got no right to comment on this. Best wishes to the team -- that those who saw his post will restar/rewatch the repo -- and (fwiw) thanks for writing it up and making me even more paranoid (in a positive sense) about doing such destructive operations.

By now I've become so accustomed to just copy the bold text from the line above it and paste, that it doesn't break me out anymore. I know I should concentrate and type it out, but in my head it has just become visual noise and a boring exercise.
(comment deleted)
Aha .. perhaps the interface can be changed to prevent copy-paste into that field.
Better would be to not show the repo name directly above the dialog at all so the user actually has to think a bit about what they need to enter. Just re-typing a text shown to you can be done on autopilot as well.
Regarding cascading logic with soft deletes; I think the answer is that you don't cascade anything. You basically need to have `deleted_at IS NULL` conditions in your queries to exclude them.
>I often think scary popup boxes are enough to get people to think about what they're doing

This would entirely depend upon how often it shows up. The more often it shows up when the scare isn't relevant, the less people will pay attention to it.

>the distractions ("Type this repo's name", etc) just go away

I think it shows that what one types needs to be relevant information. In this case, due to the similarity between when the author would've been asked if they did what they were intending to do and what they typed to do what they actually did, we can judge the prompt isn't enough. If this also asked you to type in the number of git stars you were about to lose, that would've been enough to make author recheck exactly what they were doing.

Factorio doesn't say "You'll lose unsaved changes" if you close the game immediately after saving, which is super nice.

The number of games that DO ask this question, immediately after saving, is ridiculously high it's so frustrating.

Your comment missed the main lesson of the post.

GitHub (Microsoft) had a non intuitive UI feature, they themselves were victim of. They restored for their own repo but not for the customer repo...Zero customer focus is the lesson here.

"...In our case, however, they refuse to do that, citing undesirable side effects and the cost of resources. We even offered GitHub financial compensation for any resources required. But, sadly, they declined. They have other priorities than resurrecting the community of one of the oldest and most popular community projects on their platform..."

"...So the answer to the question is, unfortunately, the following: GitHub will restore a repo damaged by making it private. But only if it’s one of their own projects, not a community one.."

I notice there are a lot of people in this comment section who either haven’t read the article at all, or haven’t read it in full. Worth reading the full post before commenting
I read it.

I think there should be a follow-on discussion here about programming paradigm that empowers a "do what I mean not what I say" mentality.

Atlassian's recent fiasco https://www.atlassian.com/engineering/april-2022-outage-upda... is another motivating example for such a paradigm.

The author of the blog touches on this paradigm as a UI element. Software engineers should have pushed that as a "gotcha" up through Product Management to expose controls for such a risky scenario.

Sure, the author should be responsible.

Yes, GitHub should have a better UX around this action.

But...

There is another thing to consider:

Is it really necessary that a repo that is accidentally made private and then made public should lose its stars anyway?

Is that really what the repo owner or the people who starred the repo even want to happen?

Agreed. This just screams bad UX on a corner case.
I don’t know for certain but I feel like this could allow something like 1. Takeover/inherit public repo with lots of stars 2. Take repo private (retaining stars) 3. Replace repo code with some malicious/offensive code. 4. Take repo public again 5. Inherit the trust/prestige of the old repo.
You can do that without the “making it private and public again” part anyway.
But couldn't the same be achieved without taking it private?
Yeah, that's a risk. They could mitigate it by allowing you to revert all branches/tags back to the pre-private state, but we're getting more and more complicated here.
Yeah but it's not like stars are seen as some amazing endorsement on the part of the individual starring. It's more like a favorites list if anything
stars absolutely are seen as an endorsement. I'm guilty of that for sure, and I've been in a ton of conversations about adopting some thing and the "number of stars" is often a consideration unless it's a project like React or Vue, etc.

Would you really not look at two repos that do the same thing, with similar ages and recent commits but one has zero stars and the other has hundreds, and not at least initially trust the latter more?

(comment deleted)
1) probably not the desired experience

2) probably part of the currently required setup on their database side (triggers)

Features tend to evolve evolutionarily and certain data patterns are hard to invent around for security/privacy constraints. So err on the side of deleting rather than potential privacy/security bug.

Definitely fixable with some decent investigation, coding, etc. - but hard to prioritize.

I think this is getting at the more robust solution.

When youtube videos are taken down or made private, they are not deleted necessarily from my playlists. There's simply an indicator that they video is 'no longer available'. I don't see why something similar can't be the behaviour for GitHub stars and watches?

You do lose the title, which is super annoying. "What did I used to have?" Super frustrating feeling.

Here's a list of your favourite songs, but two are missing, have fun figuring out which two it is!

I recently discovered a neat trick that if you Google the url for the private video (you still have this in your list), you're likely to find the title of the video, therefore allowing you to at least figure out what it was and seek out a new video.
Thank You! I needed this all my life!
This works about half the time. It's better than nothing, but not great.
Let's assume that the stars don't go away when the repo is made private. There are a couple of options:

- The users can still see all their stars and find the private repo, which makes it not private.

- The users can't see all their stars, they can only see their stars for the public repos. There's no way to find or unstar a private repo that you starred while it was public. This would lead to the situation that if you unstar everything and make sure you have zero stars, you could wake up the next week with 1 starred repos, and then with 3 starred repos, because some repos went public again.

- The users can see all their stars, but the private ones lead to a 404, which would be perplexing for a greater number of people than the current behavior.

- All private repos that have been public at least once lead to a "this repo is now private" message, that would in practice allow anyone to make an index of all the private repos that were public at least once. And it would also allow anyone to know when a private repo that was private at least once is deleted.

I think the current behaviour is better than all of these options.

> The users can still see all their stars and find the private repo, which makes it not private.

Why seeing a start you made for a previously public repository makes it not private? People remember things too, there's also the webarchive. You should be able to unstar it or keep your star, the only difference is that you don't know if the repository still exists or not.

> the only difference is that you don't know if the repository still exists or not.

If an admin were to private->delete, then all the stars referencing the report would stay and thus the reference to the repo would still be there, on GitHub's servers. There's a difference between GitHub storing things forever and third parties on the internet being a forever archive of visible pages.

But that's an easy fix. If they delete the repo, delete the stars. If they make it private, indicate it is now private in some way.
That's information disclosure; nothing about the repo after it's privated should be known, including name changes and deletion.
It’s unclear to me what the attack vector is for that disclosure.
It was known and there are many sites scraping GH for metadata that will have it anyway
Not whether or not a repo exists after it's set private.
This information is useless. It leaks nothing but name and existence of something once public (that vanished from public view). Most importantly it's not confidential or critical in any way
Your last option sounds appealing to me here. Yes it does mean that you can never really make the name of your repo fully private after it's been started, but the name isn't really what's important most of the time.

And there's always the potential to add a other toggle when privating a repo that lets you force-remove all stars.

Twitter has this kind of problem with likes (or maybe they fixed this since I haven't been on there in a while).

When someone deactivates their account, you can see that you have X additional likes, but you can't access them. If that user reactivates their account, those likes suddenly show back up.

This could be a privacy issue if you've decided to remove likes for a certain categories of posts for whatever reason.

For GitHub, a couple other options I can think of would be to 1. show stars for private repos but only for the purpose of unstarring or 2. hide stars when a repo goes private and then give users an option to re-enable their star if a repo goes back to public. But these options are relatively complex, and I can see why GitHub would go with deletion.

The repo could lead to 404 to everyone, but if someone had starred it they would get a 403. They would be able to see all their stars but not access certain repos because they were made private. Probably less surprising then some of their stars disappearing. They would at least know what happened and it’s not like wouldn’t know the repo was public at some point anyway. Additionally, there could be another button to clear stars and watchers, if the owner of the repo really wants to.
> The users can't see all their stars, they can only see their stars for the public repos. There's no way to find or unstar a private repo that you starred while it was public. This would lead to the situation that if you unstar everything and make sure you have zero stars, you could wake up the next week with 1 starred repos, and then with 3 starred repos, because some repos went public again.

Sounds fine and expected to me.

>I think the current behaviour is better than all of these options.

Current behavior is destructive.

>- All private repos that have been public at least once lead to a "this repo is now private" message, that would in practice allow anyone to make an index of all the private repos that were public at least once. And it would also allow anyone to know when a private repo that was private at least once is deleted.

This is a much better option.

Perhaps 1-2 weeks of warning before a full delete of stars would be desirable for any repo with over 1k stars.

Sorta like most social media apps when you want to delete your account. It doesn't delete it fully until a month later

Totally agree - cascade delete is such a nice thing - until it is not.

Technically you want to delete dependent stuff, but in this case this seems like overstepping on development side.

Do people use GitHub stars for something? Sometimes I star things but I have no idea what it does or why I do it.
In the absence of metrics to use for ranking, it is hilarious how people co-opt whatever weak metrics they find and then retcon a deeper meaning into them.

“They’re not stars, they’re a community!” What percentage of your community actively contributes bugfixes?

It’s basically just a bookmark for yourself. And GitHub shows how many users have “bookmarked” a particular repository.
Oof. Nice write-up, and it'll probably work. I.e. I'd wager that 'no we won't do for you (even in exchange for cash) what we previously did for ourselves' decision is going to get reversed.
I think there are two types of destructive actions; destructive actions you do as a part of completing some other task, and destructive actions you do for compliance reasons.

I think the problem arises when product designers aren't sure which case their data deletion function is for.

If you dumped a bunch of social security numbers in your non-confidential data history and batch job system, you'd want to be able to permanently delete it as part of the incident response, to reduce the number of people that are exposed to data they shouldn't have access to.

But if you delete some lines of code from your text editor, they can just pop back into existence with the press of a key because you were probably just moving them around, or trying some buggy function without a piece of code you thought might be unnecessary to isolating the defect, etc. Editors clearly understand that you don't kill text out of an Emacs buffer to solve a compliance issue, so they keep it around even though you technically asked for it to be deleted. (Imagine how crazy it would be if deleting text in your editor deleted it from memory, the clipboard, version control, and your upstream VC server!)

In the case of this Github issue, there was clearly a fundamental misunderstanding. Github probably imagined the feature as a compliance type thing; get this stuff off the Internet as fast as possible at any cost necessary. Delete the list of people that even knew this thing existed! I could see why someone might want that. But what the user thought was that this was something they needed to do along the way to some other goal.

I have a feeling that people pick the compliance route more often than the "experimentation" route more often than not, not because they expect users to have actual compliance-type issues, but simply because it's easier. The net result is that users are trained to fear computers and fear experimentation, and that's a bad state we've put society in. This article is yet another victim of "if they said they were sure they wanted to delete it, we can just delete it". But it's actually pretty rare that people are sure.