← Back to context

Comment by dualvariable

2 days ago

Only thing I can find on requesting to take over an inactive account is here:

> We do not accept requests to release, transfer, or reclaim usernames on the basis that they appear inactive or unused. If the username you want has already been claimed, you will need to select a different available name unless you are submitting a trademark complaint as described below.

https://docs.github.com/en/site-policy/other-site-policies/g...

Also even the original user renames or deletes their account any popular repos they have will get tombstoned, so the new owner can't recreate them:

> GitHub uses a tombstoning algorithm to reduce the risk of repo-jacking by permanently retiring specific owner name, repository name combinations. The github/cmark-gfm example above is purely hypothetical, because, in that scenario, the old name would get automatically tombstoned. For example, even if an attacker managed to register the username github, they would still be prevented from creating a new repository with the name cmark-gfm because that owner name, repository name combination (github/cmark-gfm) would be permanently retired. Therefore, repo-jacking is only a risk for repositories that fall below a certain usage threshold. We don’t tombstone all renamed repositories because there’s a tradeoff between usability and security: a tombstone is a potential inconvenience for our users which we don’t want to impose unless there’s a genuine security-related reason to do so. That’s why our tombstoning policy only kicks in after the repository has met certain criteria, such as exceeding a specific number of clones.

https://github.blog/security/supply-chain-security/how-to-st...

3 comments

dualvariable

Reply
tredre3  2 days ago

Github has changed their policy in 2022.

Before that it was possible to contact support to reclaim any username provided that they had no meaningful public repos and they were inactive for a long time. It was at the staff's discretion, there wasn't an elaborate policy of what constitutes inactive, but I've successfully reclaimed a username inactive for 2 years myself.

The old policy was:

    GitHub account names are provided on a first-come, first-served basis, and are intended for immediate and active use. Account names may not be inactively held for future use. GitHub account name squatting is prohibited. Inactive accounts may be renamed or removed by GitHub staff at their discretion. Keep in mind that not all activity on GitHub is publicly visible. Staff will not remove or rename any active account.

    Attempts to sell, buy, or solicit other forms of payment in exchange for account names are prohibited and may result in permanent account suspension.

  • dualvariable  1 hour ago

    > Github has changed their policy in 2022.

    Which means that in the age of supply chain attacks, they patched the holes.

    Which is exactly why this policy that AUR has is terrible in 2026.

    The fact that GitHub didn't have that policy back in 2015 isn't the counterexample that the argumentative crowd here seems to think it is.

    That is the GH policy right NOW, in the year of our Dog, 2026.

    AUR is pretty grossly behind the curve, and I'll certainly accept that GH was arguably slow about it.

    Defending AUR's policy on the basis of GH's policy being shitty until relatively recently isn't a good argument.

  • embedding-shape  1 day ago

    Meanwhile sometime around there I changed my GitHub username, and not reading up on the suggested process before doing so. The idea was to rename my account, then create a new account with the previous username, so no one else could squat it, as it's my firstname + lastname and the combination seems unique in the world, so it's basically just me. But a few seconds after renaming the account, it got squatted and even requesting to GitHub to reclaim it somehow, has fallen on deaf ears.

    Lesson learned, create new accounts and never rename usernames, regardless of what rules the platform might share publicly.