They implemented spam detection in a way that minimizes the potential impact, prominently notified the affected user, provided a mechanism for solving the problem and did so quickly.
I understand the author's frustration and sympathize, but I'm not sure how much better GitHub could have done here.
1. Why did it happen in the first place? I have a very active account with lots of "human" evidence. If I'd posted a single spammy link or something in a Gist (which I didn't) how does that override the fact that I'd just committed and updated my Wiki 12 hours ago?
2. Why not notify me and let me respond? If the account is flagged, send an email and require me to log in, answer a question, perform a captcha, etc. I'd even be okay with it if they flagged the account first and then sent me an email, but the only way I found out about this is by logging in this morning.
I love Github, but I think this system / policy could use some work.
I get a lot of child porn link spam and am currently looking into OCR software to identify images spam bots post, because the spammers have been hard at work at circumventing any other measure i put in place. With that kind of thing being "spam", i can't be nice about it. I need to be zero-tolerance on any detection, even if it may be a false positive.
As for why it's not reviewed by a human: That may not scale. My forum is rather small, 30000 unique visitors per month, but even so, with a team of three people, there is simply no way to look at everything identified as spam. And going by the contacts we get from users about false positives, even if i assume 10 times as many things are false positive than people ask us about, we're still below 1%.
Also, at a wild guess: With an account as big as yours, maybe you just went past a total size limit for all the repos in your account, looking like a bot trying to treat github like a storage system.
Lastly, something meant to be friendly advice: I understand that you're a little upset, but going to the effort of writing such a big blog post, and using that strong language for something that did no actual damage is over the top. This may not be part of your daily dealings, but before you attack github over this, i invite you to try and spend some time to think about how you could write bots to abuse github, which is pretty much a publicly writable storage system, and how you would counteract such abuse.
There are robots everywhere: for example, the Rust's github repos won't work the same without bors or highfive.
If I remember correctly, the github itself definitely used to allow robots for such use cases.
Why is it so surprising and upsetting that something like this occurred? I've always taken the approach that data shared to these types of services are, fundamentally, out of my ultimate control - is this not a common viewpoint?
By using GitHub, or any other service for that matter, you're literally giving someone else your data to manage and are at their mercy. Yes, you'd hope that that service would continue to operate and provide value to you but you do have to take steps to make sure that you have alternatives in place should the worst happen.
The real core of it is what is it that make events like these so intensely surprising and personal to those who experience it?
Finally, I'd have to say that GitHub did everything correctly here, they responded quickly, rectified the fault and gave a reasonable answer.
instant-banning long-term active-user and not telling what was THAT suspicious in his user activity that they have to ban him doesn't seems to match being "open"
in my opinion - active account of long term user should get so many "positive score" in the banning rules that it shouldn't instant-ban him. it couldn't be scenario like "your account had been taken over" - they told him he get into spam filters. he should have been given at least 24 hours to react before hiding all his stuff
but yeah.
nobody should treat github seriously. not anymore.
So, two comments.
First, GitHub, if you believe an account is not associated with a human, put a banner up on all of their pages, one that _everyone_ can see. For the banner visible to everyone, say something like "We [GitHub] think this account's owner is not human. Please have the account owner log in ASAP, or this page will disappear soon!"
Next, don't forget this this is Git. If you don't have 100% trust in GitHub, then just mirror your repo somewhere else. Spend the 20$ a month to get an account at a web host that supports cron jobs, and run a mirror script every five minutes.
Better yet, just host your code on your own stuff and sync it over to GitHub using a hook. Deploying gogs or gitlab using docker is dead easy.
It's hard to think of a better way to handle this. Github's current behavior is to remove your account from public view until it can be determined your account wasn't compromised. During this time, you can still push to your repos and do any other write operation. Another way to handle this would be to make your account read-only without hiding anything. The latter is objectively worse: imagine suddenly not being able to do anything.
Gitlab is quite pleasant nowadays, so that's an option.
Them making your account read-only should not lead to you not being able to do anything.
I don't know much about spam-fighting, so I don't know to what extent this "obscurity" strategy is viable there, but this is at best a bad analogy since the consensus seems to be that security protocols that you have to hide are not good security protocols.
Security by obscurity cannot be the only approach to security, but it's certainly a valid tool. Militaries and security services the world over rely on it throughout history for instance.
(Don't know why you and all my neutral comments are downvoted. Angry GitHub employees here?)
It's not ideal, and maybe a warning would have been nice... however, I feel like GitHub handled it way better than most other sites would. If this happened to me, I would have had no complaints.
Now I'm sure I would still feel inconvenienced for this having happened at all, but again, with things presented so clearly, it falls into my "well, shit happens" bucket rather than the "I am morally outraged and cannot conceive how this would ever occur!" bucket.
Maybe it's because I can conceive how this would occur? Having only tangentially worked with a few such systems (e.g. identifying bot behavior), false positives come with the territory and so I've got some empathy for the Customer Support reps who have to deal with the fallout from edge cases in such a system.
Feels a lot like having a credit card get locked while traveling (which I have had happen despite notifying the issuer of impending travel). That is, a system which helps in most cases wound up classifying me as a different-from-most case. That's going to keep happening throughout my life. It's part of the automation-assisted world we live in.
The question is how Github handles these cases, and I think they did fine.
