This is an anonymous post sent in by a member who does not want their name disclosed. Please be thoughtful with your responses, as these are usuall...
For further actions, you may consider blocking this person and/or reporting abuse
Yes. Same goes for Trello and bunch of other stuff. GitHub and other tools allow enterprises overtake your accounts because they might have access to corp info. So if you don't want your account to go towards your ex-employer, you should keep those separate. I don't know why they don't warn you about it when you sign up.
I didn't know about the GitHub control thing so I tried to read more about it, but couldn't find much in the way of what conditions allows an organisation to take control of a personal account - have you got a link you can share?
I imagine if the org has control of the email address, that's how they do it, but if the user has control of it - its not possible?
Anyway, I did find a link that tells you best practices when leaving an organisation in terms of what to do with your account: docs.github.com/en/account-and-pro...
Previous job was consulting at a Big5 and I used to create a new account per project. After 10+ profiles this was unwieldy.
Now I manage everything through my personal account with PATs and email associations. New projects or forks are owned by the org if they are work-related. I use different gpg signing keys for work vs personal.
Dubious that GitHub would/could allow "overtaking" a personal account by an enterprise customer. At worst, I imagine the enterprise can invalidate the PAT grant and boot you from the org, but your personal account does not suddenly belong to them.
When you leave an organization or project, you should definitely disassociate email in your personal account settings. Same as the org does decommissioning your email account when you leave.
Hello, Mike! Here's a comment on Hackernews about GitHub in a thread about Trello: news.ycombinator.com/item?id=22874508
This where I got my "GitHub too" info from.
That "GitHub too" thread is pretty light on details. Not really seeing anything that provides any indication of the actual risk-scenario. Is there any other place you've seen mention of an enterprise getting GitHub to hijack (or neuter) an account – especially an account whose primary address (etc.) was outside the company's control?
Yeah, that doesn't make any sense with anything in the GitHub organization features of today. Maybe there was something broken in it's early days that made this possible?
Or maybe there's a lot more to this story that he's not telling us.
Regardless of whether Github's TOS allows a company to take control of your account, the company can still sue you for having their property in your account. Even if you clean up and remove yourself from all access, if they are mad at you they can still sue you. If you are right, you get to explain yourself in a fancy, expensive room.
They can also sue Github. And remember Github will do what a court orders them to do.
This is not legal advice. I am not a not licensed to practice law anywhere (anymore). This is more ... life advice to the effect of: avoid situations where you need legal advice.
As someone who runs a GitHub org I assure you this is not the case for anything up to enterprise. I can only invite you or uninvite you from the organization. I have zero control over your personal account and I have no ability to take it over.
I haven't used the enterprise option - but i have looked into it. As I understand it, at that level they essentially have their own GitHub implementation and thus their own user space separate from GitHub proper. They create your account like they would any other service, so I don't think this would even be a question in that scenario.
Good to hear, probably the whole thing was improved since then.
There shouldn't be much difference between your personal and "professional" projects.
If your talking about a work account, things are different. Jobs could give you your own account they manage. Or they could just have you use your own personal one.
Another thing to consider is switching GitHub accounts on the same machine can be a pain, so using the same one on the same machine should be the goal.
I am the owner of 4 GitHub Orgs with plans ranging from Free to Enterprise, IMO there is only one reason I would ever have separate Personal and Work accounts, and that’s if I wanted to conceal my personal activities from my coworkers.
Outside of that reason, there’s no value and you’re just complicating things for yourself. Your account does not become company property by joining an org, I simply remove you from the org when you’re offboarded.
I want to clearly de-mark between the work I do for my employer and the work I do in my own time on my own projects. I've had employers in the past that claim to own anything I do it their "time" or with their "resources" so this distinction is important to make.
On the plus side, your commit history makes it pretty easy to prove the necessary demarcation (especially if you've set up your profile with multiple email addresses and associated signing-keys).
I suppose it depends on what you're trying to prove to who. Commit timestamps can be set to any time you want. The fact that you commit with a different email address doesn't really mean much either since you could easily commit using work time and resources with a personal address.
I usually don't like peremptory assertions, but here I would say definitely yes. There are security risks too:
If something bad happens to you, it's uncool but it's only you, but if you mess up with your customers/employers, it's a different case.
More generally, it's better not to put all your eggs in one basket, and if you find it a bit overkill or inconvenient, use a password manager.
Unfortunately a password manager doesn't really solve much of the inconvenience of needing to log out, log back in, and use 2FA again.
some password managers do integrate 2fa
Yes, some do. But it's still another step to do in order to switch accounts rather than just use the same account.
convenience should not prevail over security, to me.
I generally agree. Although security and convenience is almost always a tradeoff. You need to weigh the possible security risks against the inconvenience. For me, I don't see the security risk as significant enough to warrant the inconvenience. For someone else, that decision might be different.
I don't understand the risk you're envisioning here. Can you elaborate?
We shouldn't be any more careless with our personal GitHub than our work one, so what are we talking about here?
IMO if it is really needed or the organisation is closed source you should consider creating a different account for that.
For all other tasks and and open source organizations you can use your personal account without any worries just add your professional email id and use them for signing off whenever you are putting anything to professional projects.
I use separate accounts for my personal and work emails. I manage them by creating separate Chrome profiles, so I can access the correct GitHub account from the browser.
I also use GitKraken which supports multiple profiles.
Overall, this works pretty well for me.
This works on social media accounts but for dev account I highly suggest don't do that. Just make it to not display your contribution history in any private repo. You can set this in the Settings menu.
If you just want to not clutter your Github account with many repos (to make searching easier), you can use other git service. I've been using sr.ht for dumping my prototype, example, reproduce-bug repos.
Most projects you work on in a professional environment will be owned by the company or team so that will be separate to your profile.
Otherwise I see no need to keep your own professional work separate from your other stuff, other than maybe keeping things organised if you have many repos.
I use one account with different emails, access tokens, and ssh keys. I have GPG only linked to my personal emails, and I see more issues maintaining multiple accounts.
I would suggest checking your contract and labour laws. There may be a clause stating your employer owns the copyright for all the software you create, even the one you develop in your free time. If this is true for you, having a separate account does not make any difference. I'm a software engineer, so please check with your company's legal or open-source program office.
Possibly but you could also make professional account private if you did not want to share the codebase.
I use the same account for personal use and professional use.
I have no issues and it simplifies my configuration of git, login-management and so on.
When I join a company, they provide access to my account, then they revoke it later.
I can also remove myself if they take too long to do so, which is great.
Another plus is that if I get to keep a clean history of every work I did for any company in the past (provided it is on github).
Store your professional projects in an organization. Store your personal projects on your personal account. You can access them both with the same personal account.
An organization is an account that has no login. Instead it has members. There can be only one member, if you practice your profession alone. If you are employed, your employer should have an organization (or many organizations under an enterprise), and you should be made a member in those organizations that you work in.
Organizations have different free and paid levels with increasing features. Paid levels can require authentication from identity provider of employer (eg. Microsoft or Google) daily before access to the organization resources. They can synchronize team memberships from groups on identity provider. Organizations can belong to an Enterprise account. There are different Enterprise accounts too: Enterprise Cloud on github.com using GitHub accounts, Cloud with managed user accounts on github.com (where the enterprise identity provider is the sole account, which also makes the account hidden from rest of github.com and hence turns user into ghost user with many limitations, eg. being unable to request support from or make pull requests on any 3rd party projects they use on GitHub), or Enterprise Server on different domain that you run on your own servers with managed accounts.
Unlike some people have commented, there is no account takeover. Employee is simply removed from the organization and all access to organization private repositories and forks is removed. Organization owners can delete forks of private repositories even on personal accounts, if they have allowed them to be created. The forks of private repositories are always private and share permissions with the upstream.
Organization membership can be hidden. Organization can require 2FA of members.
Organization can and should disallow using PAT to access organization repositories. Organization owners can revoke fine-grained personal access tokens that have access to organization.
In summary, use only one GitHub personal account. There is no pros for using multiple personal accounts. GitHub recommends that you use one personal account for all your work on GitHub.com.
I use one account but associate work and private emails – and signing-keys – to the account. If a project wants commits with "their" email address (or signing-key), I configure my git client to do The Right Thing™ ...I think I even posted an article to dev.to +a year or so ago) about how to set it up my client so it's painless (projects in my local repos' "work" and "personal" directory trees use the correct commit info).
I mean, my employer is a consulting company. We service many distinct customers. That makes it necessary for me to need to contribute to their projects in a way that requires distinct attribution. But, I didn't want a bajillion profiles, so, the multiple emails and keys option was how to make it all manageable (and let me keep a consolidated activity dashboard and not have to configure/manage multiple, 2FA-enabled accounts).
I don't know if there's a better or worse approach. I personally have it all in the same account because I'm too lazy to switch accounts xD I think it's personal preference
Way easier to use one account imo, unless you use a completely different computer for work but I use my personal since I work from home
As other said, I think one profile is good enough, keep it simple.