
Gitlab deletes then opens account to others without warning - threatofrain
.
======
AnonC
The historical nature of or convention on the web has been first come first
served on names. Most well designed systems will never change a username due
to inactivity or for any reason other than the owner requesting it (even
that’s not allowed on most systems). Usernames that aren’t actively used,
after a known period of inactivity, may be deleted along with content
associated with that username.

Look at email addresses: platforms like Gmail and Yahoo will delete your
account for inactivity with adequate advance warning, but they will not
release your email address for someone else to claim in the future (on the
other hand, paid platforms like Fastmail and Posteo will allow your deleted
addresses on their domains to be grabbed by anyone).

With GitLab’s policy of renaming inactive accounts without any warning or
notice, any links that someone has shared could later point to a different
person. A “404 Not Found” error or an “email address does not exist” error is
far better, IMO, than redirecting someone to a totally different person.

If an inactive username is to be released back for use by someone else, there
should be a significant duration from the time the username is disabled to the
time when it’s available for someone else.

~~~
emilycook
We clearly outline what we consider dormant here:
[https://about.gitlab.com/support/#dormant-namespace-
requests](https://about.gitlab.com/support/#dormant-namespace-requests)

It's to prevent name-squatting, GitHub has a similar policy:
[https://docs.github.com/en/github/site-policy/github-
usernam...](https://docs.github.com/en/github/site-policy/github-username-
policy)

~~~
anonymoushn
That's not a similar policy.

------
weimeng
I'm from GitLab support. We do have a dormant namespace release policy which
your account may have been eligible under:

[https://about.gitlab.com/support/#dormant-namespace-
requests](https://about.gitlab.com/support/#dormant-namespace-requests)

If your account was released under this policy, it's likely your username was
renamed to <username>_idle, as documented here:

[https://about.gitlab.com/handbook/support/workflows/dormant_...](https://about.gitlab.com/handbook/support/workflows/dormant_username_policy.html#request-
successful)

I don't know what happened with your account specifically as you haven't
mentioned your username. You can always drop us a support request regarding
your account here:

[https://support.gitlab.com/hc/en-us](https://support.gitlab.com/hc/en-us)

------
njsubedi
That's crazy! Moved to Gitlab for some projects because of Github horror
stories, and now this? The only "safe" way to do anything is to self host
everything, it seems.

------
jonnyrockit
This is a pathetic policy, Gitlab. For this reason alone, I'll stick to
GitHub.

What if I'm hospitalized or away on an extended trip? You just going to let
someone else take my account username?

No thanks.

~~~
emilycook
I wouldn't worry about that, we have clear conditions that need to be met
before we release a username [1]. It's meant to prevent name-squatting, not
take usernames away from actual users. Although I do want to point out that
GitHub also has this [2], it's just worded differently and doesn't outline
what they consider "inactive".

[1] [https://about.gitlab.com/support/#dormant-namespace-
requests](https://about.gitlab.com/support/#dormant-namespace-requests)

[2] [https://docs.github.com/en/github/site-policy/github-
usernam...](https://docs.github.com/en/github/site-policy/github-username-
policy)

~~~
anonymoushn
What's an "active project"? OP says they discovered that their account had
been renamed by having their workflow break. What kind of activity was OP
regularly engaging in that depended on OP's account existing with the original
name but did not flag OP's account as active?

------
ciarannolan
I feel like we're missing part of the story here. Are we?

~~~
threatofrain
I'm a low volume and boring user. I also have <no> messaging from GitLab, so
there isn't much to say.

Also, what kind of poor user behavior on my part means opening up my account
for registration? Let's say that Rush Limbaugh is kicked off of Twitter for
bad behavior — should I be able to claim his account?

And shouldn't the hypothetical Twitter user get an email warning them that
their account is about to be opened up for public registration? I only tried
to register under my own account to test whether my account had been disabled.

~~~
stunt
This is about Gitlab's dormant policy which is similar to Github's name
squatting policy.

Only happens to long inactive accounts and both platforms will not notify the
owner since it's about name squatting. They just rename the handle and you
still have your account.

Why anyone should be concerned if his account has been inactive for a long
time?

~~~
lostmsu
Yes. I am sure there are many, but here's one stupid reason:

    
    
      pip install git+https://gitlab.com/me/lib

------
cynix
I've had a similar experience: Gitlab renamed my account after a period of
inactivity without any warning, and someone else took my username :(

~~~
emilycook
For future reference, you can see what we consider dormant here:
[https://about.gitlab.com/support/#dormant-namespace-
requests](https://about.gitlab.com/support/#dormant-namespace-requests)

------
reustle
Isn't this a considerable security issue?

------
l0b0
Looks like someone broke the URL and description. Is this being buried?

