I thought it would be worth updating this post to commend the awesome response from GitLab. Though this issue was not really their fault, I recieved this tweet within a few hours of posting.
Hey Dylan, I couldn't find a link to the issue you created regarding this. Do you have that handy?— Mitchell Wright (@mitchellbwright) July 3, 2017
as well as some awesome responses in the comments of this post. I really appreciate how seriously they take user feedback. Keep it up folks!
People make mistakes.
This is something that we are continuously reminded of in the world of computer security. Recently, I’ve been reminded of this a lot. Specifically, I’ve been getting a lot of emails from GitLab. Why? Simply because of my name. It’s nothing exciting or special, but rather something accident prone. My name on GitLab is 🐤(U+1F424). This is important because it’s a lower codepoint than the next lowest user, 🔑(U+1F511). Can you guess where this is going?
Several months ago, I was creating an organization, when I realized that all of the emoji usernames where at the top of the list of members to add, then it continued in alphabetical order.
This quickly lead me to the conclusion that GitLab was indexing every user alphabetically and displaying them on the “Add member” list. Because of this, lower emoji codepoints would be displayed higher on the list. Thus, my bird username was born. The result was immediate:
I was officially a member of the A-List of GitLab’s “Add User” selection dialog.
This is where things got crazy. After roughly one month I had been added to 14 projects, one of which was a NuGet package, which could have had a pretty strong negative impact(I couldn’t find the package 😞). Only four of those repositories appeared to be test or practice repositories. Additionally, I was given non-guest access to 3 groups(one of which was a test group), and guest access to two more groups. It’s now been three months, and this morning I received yet another GitLab email.
However, I found this project particularly interesting. When I looked at the project settings, I noticed the project description.
It looks like this repository controlled the early stages of source code for SETI’s webpage for the dominican republic. It also appeared to be a direct rip of the source code of http://sidifdelcaribe.com/. This is just one of many concerning things I’ve been given access to because of alphabetical sorting. Other notable items include a few big organizations, some larger repos, and a NuGet package.
I’ve reported this issue to GitLab as a design concern, as it’s more related to user error than it is any fault of theirs. In total, since I’ve changed my username, I’ve been added to more than thirty projects and organizations with developer access or higher(almost always master). Unfortunately it’s difficult to prevent this issue on GitLab’s end. My suggestions to them were more confirmation before adding a user and not highlighting the first user in the list.
In conclusion, popularity is a fickle thing. It is quite possible that after making this public, someone will choose a lower codepoint and dethrone me from my spot atop the list. But I have enjoyed my moment of short, sweet GitLab fame.