I didn't know about the GitHub control thing so I tried to read more about it, but couldn't find much in the way of what conditions allows an organisation to take control of a personal account - have you got a link you can share?
I imagine if the org has control of the email address, that's how they do it, but if the user has control of it - its not possible?
Anyway, I did find a link that tells you best practices when leaving an organisation in terms of what to do with your account: docs.github.com/en/account-and-pro...
My main expertise is Java and all Java related but now I do Node.js and TypeScript on backend. I’m 34 and I’ve got a wife a daughter and big ass 4WD that I use to tour Australian Outback.
Education
In mysterious Russia. I’m actually a rail road electrical automation engineer by trade.
Been using UNIX since the late 80s; Linux since the mid-90s; virtualization since the early 2000s and spent the past few years working in the cloud space.
Location
Alexandria, VA, USA
Education
B.S. Psychology from Pennsylvania State University
That "GitHub too" thread is pretty light on details. Not really seeing anything that provides any indication of the actual risk-scenario. Is there any other place you've seen mention of an enterprise getting GitHub to hijack (or neuter) an account – especially an account whose primary address (etc.) was outside the company's control?
Yeah, that doesn't make any sense with anything in the GitHub organization features of today. Maybe there was something broken in it's early days that made this possible?
Or maybe there's a lot more to this story that he's not telling us.
Previous job was consulting at a Big5 and I used to create a new account per project. After 10+ profiles this was unwieldy.
Now I manage everything through my personal account with PATs and email associations. New projects or forks are owned by the org if they are work-related. I use different gpg signing keys for work vs personal.
Dubious that GitHub would/could allow "overtaking" a personal account by an enterprise customer. At worst, I imagine the enterprise can invalidate the PAT grant and boot you from the org, but your personal account does not suddenly belong to them.
When you leave an organization or project, you should definitely disassociate email in your personal account settings. Same as the org does decommissioning your email account when you leave.
Regardless of whether Github's TOS allows a company to take control of your account, the company can still sue you for having their property in your account. Even if you clean up and remove yourself from all access, if they are mad at you they can still sue you. If you are right, you get to explain yourself in a fancy, expensive room.
They can also sue Github. And remember Github will do what a court orders them to do.
This is not legal advice. I am not a not licensed to practice law anywhere (anymore). This is more ... life advice to the effect of: avoid situations where you need legal advice.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I didn't know about the GitHub control thing so I tried to read more about it, but couldn't find much in the way of what conditions allows an organisation to take control of a personal account - have you got a link you can share?
I imagine if the org has control of the email address, that's how they do it, but if the user has control of it - its not possible?
Anyway, I did find a link that tells you best practices when leaving an organisation in terms of what to do with your account: docs.github.com/en/account-and-pro...
Hello, Mike! Here's a comment on Hackernews about GitHub in a thread about Trello: news.ycombinator.com/item?id=22874508
This where I got my "GitHub too" info from.
That "GitHub too" thread is pretty light on details. Not really seeing anything that provides any indication of the actual risk-scenario. Is there any other place you've seen mention of an enterprise getting GitHub to hijack (or neuter) an account – especially an account whose primary address (etc.) was outside the company's control?
Yeah, that doesn't make any sense with anything in the GitHub organization features of today. Maybe there was something broken in it's early days that made this possible?
Or maybe there's a lot more to this story that he's not telling us.
Previous job was consulting at a Big5 and I used to create a new account per project. After 10+ profiles this was unwieldy.
Now I manage everything through my personal account with PATs and email associations. New projects or forks are owned by the org if they are work-related. I use different gpg signing keys for work vs personal.
Dubious that GitHub would/could allow "overtaking" a personal account by an enterprise customer. At worst, I imagine the enterprise can invalidate the PAT grant and boot you from the org, but your personal account does not suddenly belong to them.
When you leave an organization or project, you should definitely disassociate email in your personal account settings. Same as the org does decommissioning your email account when you leave.
Regardless of whether Github's TOS allows a company to take control of your account, the company can still sue you for having their property in your account. Even if you clean up and remove yourself from all access, if they are mad at you they can still sue you. If you are right, you get to explain yourself in a fancy, expensive room.
They can also sue Github. And remember Github will do what a court orders them to do.
This is not legal advice. I am not a not licensed to practice law anywhere (anymore). This is more ... life advice to the effect of: avoid situations where you need legal advice.