The individual identifying himself as Jim Teeuwen, who maintained GitHub repository for a tool called go-bindata for embedded data in Go binaries, recently deleted his GitHub account, taking with it a resource that other Go developers had included in their projects.
The incident echoes the more widely noted 2016 disappearance of around 250 modules maintained by developer Azer Koçulu from the NPM repository. The deletion of one of these modules, left-pad, broke thousands of Node.js packages that incorporated it and prompted NPM to take the unprecedented step of restoring or “un-un-publishing” the code.
Earlier this week, an unidentified developer, whose Go project stopped functioning as a result of the closure of the jteeuwen account, opened a new GitHub account under the abandoned name and repopulated it with a forked version of the go-bindata package as a workaround to re-enable the broken project.
In a post on that account, Franklin Yu, a Boston-area software engineer in the US, said he was a friend of the person who recreated the account and explained that the repo had been resurrected to fix a private project.
“The current owner had no way to directly redirect the repo, so he made such work-around so that he could safely go home without being blamed by his supervisor,” he explained. “And of course, hoped this would also save someone else trapped in similar situation.”
The security implications of allowing reuse of abandoned names are particularly evident in the domain industry, where expired domains regularly get re-registered by spammers hoping to benefit from whatever trust and traffic the previous owner had accrued.
Developers themselves bear some measure of responsibility for relying on code they can’t control and can’t verify.
But Donat, in a phone interview with The Register, suggested that’s not realistic. “You could argue it’s all down to the developer,” he said. “But the fact of the matter is this is how GitHub is now being used, as a package repository, whether it’s meant to be or not.”
Donat argued that GitHub should address the issue, noting that it would not be difficult to revive an abandoned account name and use it to distribute malware.
Personally I don’t think the onus here is on GitHub. If you delete a username, it becomes free. The problem is with stupid developers who trust an account, instead of downloading the software they depend on and packaging it with their product. We should know by now that anything on the cloud won’t stay there forever.