Both GitHub and GitLab allow accounts to be created by individuals (13+ years old) and they never verify that a new account is actually held by a single individual. However it is likely that creating a large number of accounts in an automated way triggers some kind of (i) technical and/or (ii) legal response that is concluded by the termination of such accounts.
This limitation means that a single fedeproxy server that creates accounts on behalf of its users cannot scale beyond a given threshold. My gut feeling is that a few hundred users would still be under the radar. If the threshold was lower, chances are medium size companies with a few hundred employees and a single firewall would randomly be mistaken for a third party service. For the time being it is unlikely to be a problem for fedeproxy and could probably be ignored.
The other problem is related to the technical complexity of automatically creating an account. Answering Captchas and implementing various 2FA methods is non trivial and the cost of maintaining the associated code base is significant. Contrary to the threshold mentioned above, it is an immediate blocker that needs to be addressed, otherwise fedeproxy cannot work at all. Bots exist to interact with GitHub or GitLab, but they all require that the user already has an account (and therefore agrees to the TOS), which is precisely what fedeproxy is supposed to remedy.
Here are ideas to approach the problem:
- Hard core: write the code and maintain it, in the same way youtube-dl does, for the sake of interoperability in a constant battle against GitHub and GitLab
- Crowd Source Accounts: run a campaign calling for GItHub and GitLab accounts donations to fedeproxy. Since every Free Software developer already agreed to the GitHub TOS and have an account, ask each of them to kindly and manually open another and donate it to a fedeproxy instance, for someone else to use.
The Crowd Source idea could probably be extended to organizations that have a paid contract with GitHub or GitLab that allow them to create accounts on behalf of their employees. Such organizations could donate dozens of accounts to fedeproxy servers or, even better, run their own fedeproxy server and allow it to tap into this pre-created accounts pool.
I like this approach better than Hard Core because it has a very low maintenance cost, works out of the box, is sustainable and scales out.
- Sustainable: There is no expiration date to a GitHub or GitLab account and the maintenance fees are zero.
- Out of the box: With a donation of a single account, one user can benefit from fedeproxy. An API access token is all it needs.
- Scales out: As forge federation, as a concept, becomes more popular, more individuals and organizations will have an incentive to increase this pool of accounts reserved for federation.
What do you think?