This is an anonymous post sent in by a member who does not want their name disclosed. Please be thoughtful with your responses, as these are usually tough posts to write. Email sloan@dev.to if you'd like to leave an anonymous comment or if you want to ask your own anonymous question.
I was just wondering what I should do - I've been using GitHub for around 2 years now, and I don't know if I should create a separate account for purely professional projects. Then, I'd still be able to keep my personal GitHub for anything I'd like to contribute to. Would that be helpful or redundant? I'd love to know some pros and cons.
Top comments (33)
Yes. Same goes for Trello and bunch of other stuff. GitHub and other tools allow enterprises overtake your accounts because they might have access to corp info. So if you don't want your account to go towards your ex-employer, you should keep those separate. I don't know why they don't warn you about it when you sign up.
I didn't know about the GitHub control thing so I tried to read more about it, but couldn't find much in the way of what conditions allows an organisation to take control of a personal account - have you got a link you can share?
I imagine if the org has control of the email address, that's how they do it, but if the user has control of it - its not possible?
Anyway, I did find a link that tells you best practices when leaving an organisation in terms of what to do with your account: docs.github.com/en/account-and-pro...
Previous job was consulting at a Big5 and I used to create a new account per project. After 10+ profiles this was unwieldy.
Now I manage everything through my personal account with PATs and email associations. New projects or forks are owned by the org if they are work-related. I use different gpg signing keys for work vs personal.
Dubious that GitHub would/could allow "overtaking" a personal account by an enterprise customer. At worst, I imagine the enterprise can invalidate the PAT grant and boot you from the org, but your personal account does not suddenly belong to them.
When you leave an organization or project, you should definitely disassociate email in your personal account settings. Same as the org does decommissioning your email account when you leave.
Hello, Mike! Here's a comment on Hackernews about GitHub in a thread about Trello: news.ycombinator.com/item?id=22874508
This where I got my "GitHub too" info from.
That "GitHub too" thread is pretty light on details. Not really seeing anything that provides any indication of the actual risk-scenario. Is there any other place you've seen mention of an enterprise getting GitHub to hijack (or neuter) an account – especially an account whose primary address (etc.) was outside the company's control?
Yeah, that doesn't make any sense with anything in the GitHub organization features of today. Maybe there was something broken in it's early days that made this possible?
Or maybe there's a lot more to this story that he's not telling us.
Regardless of whether Github's TOS allows a company to take control of your account, the company can still sue you for having their property in your account. Even if you clean up and remove yourself from all access, if they are mad at you they can still sue you. If you are right, you get to explain yourself in a fancy, expensive room.
They can also sue Github. And remember Github will do what a court orders them to do.
This is not legal advice. I am not a not licensed to practice law anywhere (anymore). This is more ... life advice to the effect of: avoid situations where you need legal advice.
As someone who runs a GitHub org I assure you this is not the case for anything up to enterprise. I can only invite you or uninvite you from the organization. I have zero control over your personal account and I have no ability to take it over.
I haven't used the enterprise option - but i have looked into it. As I understand it, at that level they essentially have their own GitHub implementation and thus their own user space separate from GitHub proper. They create your account like they would any other service, so I don't think this would even be a question in that scenario.
Good to hear, probably the whole thing was improved since then.
There shouldn't be much difference between your personal and "professional" projects.
If your talking about a work account, things are different. Jobs could give you your own account they manage. Or they could just have you use your own personal one.
Another thing to consider is switching GitHub accounts on the same machine can be a pain, so using the same one on the same machine should be the goal.
I am the owner of 4 GitHub Orgs with plans ranging from Free to Enterprise, IMO there is only one reason I would ever have separate Personal and Work accounts, and that’s if I wanted to conceal my personal activities from my coworkers.
Outside of that reason, there’s no value and you’re just complicating things for yourself. Your account does not become company property by joining an org, I simply remove you from the org when you’re offboarded.
I want to clearly de-mark between the work I do for my employer and the work I do in my own time on my own projects. I've had employers in the past that claim to own anything I do it their "time" or with their "resources" so this distinction is important to make.
On the plus side, your commit history makes it pretty easy to prove the necessary demarcation (especially if you've set up your profile with multiple email addresses and associated signing-keys).
I suppose it depends on what you're trying to prove to who. Commit timestamps can be set to any time you want. The fact that you commit with a different email address doesn't really mean much either since you could easily commit using work time and resources with a personal address.
I usually don't like peremptory assertions, but here I would say definitely yes. There are security risks too:
If something bad happens to you, it's uncool but it's only you, but if you mess up with your customers/employers, it's a different case.
More generally, it's better not to put all your eggs in one basket, and if you find it a bit overkill or inconvenient, use a password manager.
Unfortunately a password manager doesn't really solve much of the inconvenience of needing to log out, log back in, and use 2FA again.
some password managers do integrate 2fa
Yes, some do. But it's still another step to do in order to switch accounts rather than just use the same account.
convenience should not prevail over security, to me.
I generally agree. Although security and convenience is almost always a tradeoff. You need to weigh the possible security risks against the inconvenience. For me, I don't see the security risk as significant enough to warrant the inconvenience. For someone else, that decision might be different.
I don't understand the risk you're envisioning here. Can you elaborate?
We shouldn't be any more careless with our personal GitHub than our work one, so what are we talking about here?
IMO if it is really needed or the organisation is closed source you should consider creating a different account for that.
For all other tasks and and open source organizations you can use your personal account without any worries just add your professional email id and use them for signing off whenever you are putting anything to professional projects.
I use separate accounts for my personal and work emails. I manage them by creating separate Chrome profiles, so I can access the correct GitHub account from the browser.
I also use GitKraken which supports multiple profiles.
Overall, this works pretty well for me.
This works on social media accounts but for dev account I highly suggest don't do that. Just make it to not display your contribution history in any private repo. You can set this in the Settings menu.
If you just want to not clutter your Github account with many repos (to make searching easier), you can use other git service. I've been using sr.ht for dumping my prototype, example, reproduce-bug repos.
Most projects you work on in a professional environment will be owned by the company or team so that will be separate to your profile.
Otherwise I see no need to keep your own professional work separate from your other stuff, other than maybe keeping things organised if you have many repos.
I use one account with different emails, access tokens, and ssh keys. I have GPG only linked to my personal emails, and I see more issues maintaining multiple accounts.
I would suggest checking your contract and labour laws. There may be a clause stating your employer owns the copyright for all the software you create, even the one you develop in your free time. If this is true for you, having a separate account does not make any difference. I'm a software engineer, so please check with your company's legal or open-source program office.