Blog
This is the final straw - I'm leaving GitHub
2 Apr 2026, 1:29 PM
I have hosted code on GitHub for a long time now. I guess it’s the standard. You can’t really be an open source software dev/contributor without using it. But there are a few problems. Like GitHub itself isn’t open source, despite them apparently being pro-foss. Also there is some stuff about training AI on your code. Also… they’re owned by Microsoft and have a contract with ICE. So… not the best platform. Why do I use it? Well… I guess I’ve been using GitHub for years and just haven’t had the time to migrate away. Until now. What happened On Sunday last week, I went to look at a PR I created. I went to the repo, and half the PRs were just gone. I contacted the repo owner and they had no idea. I looked into it further and it looks like you can’t delete PRs without contacting support. So they probably weren’t deleted. I decided it must be some GitHub outage or something. I mean they did have only like 90% uptime or something in the last 90 days. Oh well I’ll just give it time. Later that day I went to log into the malware analysis platform Triage. I clicked the log in with GitHub button, and it redirected me to the GitHub homepage with this notice I also noticed that my homepage was looking a bit empty I did some research and it looks like my account had been flagged for spam. I don’t really think I was spamming…? The result So basically all my contributions, profile, and repos were hidden from public view. So if you go to my profile, it’s just a 404 page. I also couldn’t fork repos or view my followers/following. Wonderful… I was actively collaborating with people on projects. This makes it a bit hard to do. OAuth Oh yeah… and I can’t OAuth with GitHub anymore. This was my main issue with this suspension. Some tools only provide OAuth with GitHub/other providers, or I was just too lazy to use a username/password. I have 80 apps set up with GitHub OAuth. EIGHTY apps I can’t log into anymore. Also my OAuth apps are disabled. I was trying to DEMO SOMETHING, and the log in with GitHub button just 404ed?? That was really awkward, but luckily I had another way of authenticating. The link shortener for my website (l.ingo.au) used OAuth with GitHub. That means I can’t shorten links/edit my shortened links. And I can’t push changes to it because Vercel was revoked access to my GitHub account. I have to DIRECTLY MUTATE THE DATABASE to use my link shortener. Also, this blog. I use Sanity CMS as my CMS for this, and log in with GitHub. I couldn’t even complain about GitHub on my blog! Shoutout to the Sanity support team for responding promptly and helping me move to email/password auth, in under 4 hours. Oh and I had an active Tailscale subscription I was planning to cancel, and I logged into Tailscale with GitHub. I was able to contact support and get it canceled. But because of how Tailscale handles auth, my account is tied to my GitHub account and can’t be migrated away. So I guess I’m setting up all my devices again in a new org, using an OIDC provider I CONTROL. Let me list all the things I’ve lost access to: My link shortener Sanity CMS Convex Cerebras CodePen CodeRabbit Groq HACS Tailscale Multiple friends’ websites/guestbooks All the side projects I’ve been working on where I have only added GitHub OAuth I now have to email all of these companies and tell them to convert my account to some other authentication method, or at least request my data. Moving away Well… I was going to move away at some point so might as well do it now. I decided to move to GitLab, because I had used it at work before, and it basically matches the features that GitHub had. I tried to migrate everything over, but I couldn’t OAuth. This means I need to: Click import > Repo URL Paste the URL in Type my username Copy my PAT from my password manager Click import For EVERY repo. All my 80 repos. At least I don’t have many more than that. I’m already liking GitLab better. For example, the GitLab homepage is so. much. better. Compare the two: I just find a lot of the stuff I do is a lot nicer in GitLab than GitHub. For example, if I run gh repo create I have to go through about 10 prompts, I believe 2 of which are blocking on network requests. With GitLab, I can run glab repo create, and it just creates the repo, adds it as a remote, and pushes the changes, no questions asked. I can use arguments, which are better in most cases compared to interactive prompts. And yes I know, gh supports arguments as well, but the fact that GitLab just does it automatically by default is just SO MUCH BETTER. Takeaways Remember, your online accounts can be banned at any time. It could be for literally any reason. Most terms of services include something about account termination/suspension. Have backups, things you can fall back to. I can’t import all my repos from GitHub to GitLab easily at the moment because I can’t authorise third party apps. I have to do it manually for each repo. If I had switched to GitLab earlier, this wouldn’t be an issue. And yes I know, GitLab could ban my account as well. That’s why I plan to keep backups. GitLab has a feature where you can mirror repos. And don’t use OAuth if you can avoid it. Yes, even Log In With Google. Google can ban your account (content warning for link: NSFW mention), and they do not have a good track record of recovering accounts. A lot of the pain this has caused is because I was too lazy to use my password manager. I will be writing a blog article at some point going more in depth about OAuth. My new GitLab profile is ingowolf. So… yeah I would recommend moving off GitHub - Ingo Update (3rd April) I believe this was because of me having an inactive alt account previously used at school, which is against the terms of service. I still think this could have been handled better. For example, they could have flagged the inactive account, rather than the one that was actively being used to work on projects, and the one that had ID verification through the GitHub student program. They could have also just not suspended OAuth, which would reduce the impact quite a lot. I understand moderation on this scale is hard, but I still think the team handling this could have considered the impact of disabling OAuth. Also from what I’ve heard, the support team is very slow (multiple months) at responding to reinstatement requests. I am not sure how many they get, and it’s likely a lot. But I think they could benefit by using AI. Just to review requests (not to actually un-flag accounts), along with flagged accounts’ content, to decide how important a support request is, or if it’s just spam. Update (7th April) GitHub responded sooner than I expected and un-flagged my account. That evening I went to migrate to GitLab and the account was flagged again. I responded, and today got it un-flagged again. Hopefully it stays un-flagged. I have migrated my stuff to GitLab though, just in case.
My UX opinions
16 Mar 2026, 12:16 AM
I am the kind of person who tries out at least 5 different products before settling on one. But sometimes I just find a product that just feels SO GOOD to use. Here are the design choices which, in my opinion, make a UI nice to use: Optimistic updates This is where you assume something will succeed, and update the UI to reflect it. For example, you could delete an item from a list, and it disappears instantly, rather than waiting for a server round trip. But (in my opinion as always), there are places where you shouldn’t use optimistic updates. For example in forms and dialogs. It just feels wrong creating a record (for example) with a form and it instantly appearing in a list. I don’t know, it just feels weird in my opinion. Deletion If I delete something, I want it to be deleted straight away. I don’t need confirmations. But if it was an accident, what now? Just don’t make accidents! Well that’s what Ctrl + Z is for! When you delete text, do you have to confirm? No. Why should deleting records require confirmation. Just show a toast with an undo button. Undoing You should be able to press Ctrl + Z or U or something anywhere in the app (unless the user is in a text field or something like that), and it should revert the last action a user took, if it’s possible. For example, in Fastmail, you can press Ctrl + Z to unsend an email in about 30 seconds after sending it. Ctrl + Z should undo EVERYTHING. Creations, deletions, updates, etc. Ctrl + K Anywhere in the interface, you should be able to pull up a dialog with Ctrl + K. I don’t care if you want to use /, Ctrl + F or something else—Ctrl + K is basically the standard. This dialog should let you navigate, run actions, etc, only using the keyboard. Keyboard shortcuts You don’t need to use Ctrl or Cmd or Alt or whatever. The user isn’t always focused in a text box. Just use single key shortcuts, unless it’s a destructive action, or the user is focused in a text box. Use common keyboard shortcuts like E - mark as done/archive C - create R - reply Also J and K. Those keys are reserved: J - Next item K - Previous item Those are both keys on the home row, which makes keyboard navigation much easier. Also J should not mark email as junk like some email apps do (cough cough outlook). Dark mode I have left the most important for last. People will probably be using your product at night, or in dark rooms, or simply like dark mode. Just implement it, please. Thanks for reading this Go build some good UIs I guess - Ingo
I should probably post here a lot more
15 Mar 2026, 11:46 PM
Sorry, haven’t been posting here for a while. I know no one looks at it but I want to shout my random thoughts into nothingness so yeah I guess I’ll start writing here more lol.
That time I found an XSS
23 Nov 2025, 11:25 PM
About a year ago, I decided to look into some AI autocomplete for my IDE. This was before tools like Cursor were a very big thing (I think). I ended up trying Tabnine, but later switched to Codeium, because of their free individual plan. So one time I was signing in, and me being me, I watched the URL and noticed something interesting. So when I clicked sign in from VSCode, it redirected to a login page, and then to a URL that redirected back to a vscode:// url. Of course I replaced the URL with https://example.com and sure enough, it redirected there. This was already pretty bad, because I could, for example, set up an ad or something that shows the real Codeium URL, but redirects to a malicious site. But it may also open the site up to XSS. But what is XSS anyway First, I'm going to try my best to explain XSS. It stands for Cross Site Scripting, and it is where malicious scripts are injected into trusted sites. So for example, if you directly send text that is user provided to the browser, like this: You can send /test?text=example and get this: But you can also send something like /test?text=<script>alert("XSS")</script> and get this: And that Javascript will run, resulting in an alert box appearing. This is an example of reflected XSS, where you don't sanitise the user defined data being sent to client. There are many ways to do an XSS attack, and the one I found on Codeium involved the javascript: scheme. Basically, you can execute code by linking to javascript:whatever(), with an a element or redirect. This is how bookmarklets work. You see where this is going? The vulnerability So of course I replaced the URL in the redirect with javascript:alert() I didn't expect it to work, but as soon as the page loaded it redirected to the javascript: URL, showing the alert box. Basically this means you could possibly send a link to anyone and take over their Codeium account when they click on it. I didn't test this. Reporting it I don't think at the time Codeium had a good way of reporting vulnerabilities, so I had to use the contact form. I had limited time because reasons, so I just sent a quick message, and they responded a few days later saying they should have a fix out soon. I checked a few days later and it was fixed! Unfortunately, I didn't get a CVE :( Timeline 29th Jan 2024 - Discovered and reported 1st Feb 2024 - Response Around 3rd Feb 2024 - Fixed A bit more about Codeium You might not have heard about Codeium, probably because I forgot to mention that recently they rebranded to Windsurf, forked VSCode, and now have a $2.4 billion deal with Google. In conclusion Just don't have an arbitrary redirect. Maybe use a whitelist for redirect hosts/schemes and paths. Stay secure :)
So I guess I have a blog now
16 Nov 2025, 5:55 PM
Yeah so this is where I'll post random stuff idk. So I can use bold, italic, underline, strikethrough, code