Authentication with GitLab & GitHub


Both GitHub and GitLab allow accounts to be created by individuals (13+ years old) and they never verify that a new account is actually held by a single individual. However it is likely that creating a large number of accounts in an automated way triggers some kind of (i) technical and/or (ii) legal response that is concluded by the termination of such accounts.

This limitation means that a single fedeproxy server that creates accounts on behalf of its users cannot scale beyond a given threshold. My gut feeling is that a few hundred users would still be under the radar. If the threshold was lower, chances are medium size companies with a few hundred employees and a single firewall would randomly be mistaken for a third party service. For the time being it is unlikely to be a problem for fedeproxy and could probably be ignored.

The other problem is related to the technical complexity of automatically creating an account. Answering Captchas and implementing various 2FA methods is non trivial and the cost of maintaining the associated code base is significant. Contrary to the threshold mentioned above, it is an immediate blocker that needs to be addressed, otherwise fedeproxy cannot work at all. Bots exist to interact with GitHub or GitLab, but they all require that the user already has an account (and therefore agrees to the TOS), which is precisely what fedeproxy is supposed to remedy.

Here are ideas to approach the problem:

  • Hard core: write the code and maintain it, in the same way youtube-dl does, for the sake of interoperability in a constant battle against GitHub and GitLab
  • Crowd Source Accounts: run a campaign calling for GItHub and GitLab accounts donations to fedeproxy. Since every Free Software developer already agreed to the GitHub TOS and have an account, ask each of them to kindly and manually open another and donate it to a fedeproxy instance, for someone else to use.

The Crowd Source idea could probably be extended to organizations that have a paid contract with GitHub or GitLab that allow them to create accounts on behalf of their employees. Such organizations could donate dozens of accounts to fedeproxy servers or, even better, run their own fedeproxy server and allow it to tap into this pre-created accounts pool.

I like this approach better than Hard Core because it has a very low maintenance cost, works out of the box, is sustainable and scales out.

  • Sustainable: There is no expiration date to a GitHub or GitLab account and the maintenance fees are zero.
  • Out of the box: With a donation of a single account, one user can benefit from fedeproxy. An API access token is all it needs.
  • Scales out: As forge federation, as a concept, becomes more popular, more individuals and organizations will have an incentive to increase this pool of accounts reserved for federation.

What do you think?

GitHub ToS say (point B.3): “One person or legal entity may maintain no more than one free Account (if you choose to control a machine account as well, that’s fine, but it can only be used for running a machine).”

And “A machine account is used exclusively for performing automated tasks”.

Now, in practice, I know GitHub do not check (and people do not read the ToS). But if people agreed to the ToS, they also agreed to not create a free account. However, I do not know how it work for paid accounts.

1 Like

Right. And there will be a high percentage of people who will actually be scared of the consequences if they open an other account and donate it to a fedeproxy server, even though the worst that can happen is that the account is silently closed. And that the likelyhood of that happening is virtually zero within the next two years. But I do hope that’s not the majority :slight_smile: