This is exactly why I’m so paranoid about account and device separation.

I don’t even trust Git profiles. I buy a new license for GitKraken at any job I go to, even if I could avoid it; to me the possibility of accidentally trying to commit to work GitHub with my personal GitHub or vice verse is not worth it.

It’s the same with Microsoft accounts and their infamously bad-tech-debt-caused spaghetti.

Like if you try login to Outlook on iOS and you get a threatening message to the effect of “your system administrator will be able to remotely control and wipe your entire device if you proceed”. If it’s even a possibility that an incompetent or malicious IT department wipes your personal device, then no thank you.

See also that HN thread where a father let his child use his laptop, where they signed into their Microsoft school account, and somehow his personal Microsoft account was merged into their school account and from what I could tell he was never able to fix it and the school IT department didn’t care.

Not only on iOS, also Outlook on Android does the same. Ironically, Teams doesn't try the same trick, so if they have some emergency while I'm away, my folks know to only try sending me stuff in Teams, as Outlook will never be installed here.

Depends on the org I think now the controls are more fine grained. For example I have teams and outlook on my personal phone and the only thing they can do is delete the apps, taking a screenshot is blank, copy/paste doesn’t work etc.

MAM vs MDM. MAM is good when you want your developers to be reachable on Slack but they all (for good reason) refuse to install an MDM on a personal device—at least that seems to be how my employer feels.

Yeah someone said why the funny account name why not use your personal account and I thought "wat are you crazy". And that isn't because of SAML etc. just simple don't mix work and pleasure ethos! I don't use my personal email to send an email to a customer.

It seems to be very common to use a personal phone for work 2fa or lots of other workplace tasks. Employers seem mystified if you request a corporate device when you obviously already have your own. I even see this a little with personal vehicles.

The idea of separating work and personal seems to be becoming old-fashioned.

Funny that, exactly why NOWHERE should consider a phone number any form of ID.

Can you elaborate on the connection you see here?

Tying someone's identity to a thing they barely control and find it difficult to get more than one of.

Particularly something someone might reasonably need 3 or more different instances of. E.G. Personal SemiProfessional, Personal NSFW stuff, Work but they didn't give an X this service demands.

My company does not allow any employees to use their personal GitHub for work (or Facebook, instagram, or anything else) after running into issue when employees leave.

Wouldn’t you just remove them from the org?

They may decide to change their github login to <company_name>LIES, and suddenly that’s all over your old PRs and Issues. Including in public repos where customers go looking for help.

That's even more true with a dedicated work github account than a mixed personal/work one; either way they can still login and edit the account name even if removed from the company org, and if it's not shared it doesn't burn their personal account too... right?

Is this speaking from experience?

With a dedicated work account the organization can always take over the account (via reset email if need be, since they own your work email account) and do whatever they want with it

A dedicated work account _where you use your work email address_... that was the missing part throughout this thread.

But then if you do that you also lose all your open source work history, which is important from a hiring/resume perspective.

One option for those so inclined is to cryptographically sign commits with a key that lists both work and personal email address (assuming your enterprise’s policy allows it). The employer retains control but you have a claim to credit for your work.

If we're discussing companies willing to go to lengths to scrub you from their GitHub history, they can still replace all commits you've signed with new commits. You likely have no legal rights to that work, and git does allow you to rewrite history arbitrarily.

It depends on the jurisdiction. In the US, copyright assignment is usually permanent. In the EU and Canada, you can claw back your rights to a degree and even revoke the usage altogether, if you manage to claw it back because they did "evil" things with it (moral rights).

In some cases (even in the US), if the employer does something that would be considered a "breach of contract", you can force them to remove all your code as well.

So, it would not be in the company's best interest to scrub their git history.

I think even in the EU and Canada, you don't have any copyright interest in work your perform as part of your employment. The copyright on the work you produce for your employer is entirely theirs, from the moment it is created.

Now, if you're a contractor performing work for a company, this may be quite different. But as an employee, I don't think you have any claim of authorship to the code you right as part of your job.

Look up "moral rights." You have some ability to revoke the usage of your work if it violates moral standards.

Some countries allow authors to transfer/assign or waive asserting their moral rights. Typically (and sensibly) this must be in writing.

> git does allow you to rewrite history arbitrarily.

Technically yes, but the price is too great - everybody who has cloned the repos will now have to nuke their local copies too.

Sure, but the same is true for unsigned commits as well, isn't it? Or can you modify the commit metadata without changing the commit hash in those cases?

> Sure, but the same is true for unsigned commits as well, isn't it?

Yes, I think so. As I understand, GP's idea was to sign your commits proactively.

My question was, is signing the commits really useful? Isn't it just as hard or easy to scrub you from the repo history regardless of whether the commits are signed or not?

If a spiteful ex-employer wants to scrub ex-employee authorship from the entire commit history in their public repos when someone leaves I don't think there's anything you could do to stop that either way, though it seems like it would be more trouble than it's worth and likely wouldn't scale. If they don't do that, assuming your old company email address still has your name in it I don't see why you'd lose credit for the work you did.

And you could still just change it right, as long as you did so before the employer revoked your access via the work email address.

Why not just use the GitHub generated email address you get when you hide your email?

GitHub is my current go-to example of an individual oriented application with business features shoehorned into it.

For awhile GitHub was rather unavoidably the only place in my company where there was no reliable line between personal and professional accounts/systems.

I moved us to Forgejo after trialing it against Github (and GitLab, and Gitea).

At a prior employer everyone just used their personal GitHub accounts for the business. Once it became a “capital-E-Enterprise” making promises about things like employee SSO, they quickly retreated to an on-premise platform (not GitHub EE).

You may notice the button with the two opposing arrows on top of the user menu. You should click on it.