 Edit: This requires some careful thought before proceeding, I'm thinking we could provide an option to recycle the username during deletion, or reserve it for the original account creator for 90 days. Safe to say, I haven't decided yet! I get a lot of requests for people wanting to re-join pixelfed.social after permanently deleting their account. Maybe usernames should be re-usable after a period of 30 days. 23 comments
@smatyszczak @dansup by the same person (email)? Yes but not by another person otherwise you open yourself to a risk of someone impersonating a user who has left. @smatyszczak @dansup On second thoughts, no. Usernames should only be allowed to be used once. This behaviour is already there in other parts of fediverse, like mastodon for example: https://docs.joinmastodon.org/user/moving/#delete  @dansup reusing usernames in a social media or email context is pretty problematic. Maybe there should be a way to “delete” the account but still be able to reactivate it? Something like store a salted hash of the email address with the username when deleted so that it can be recovered but raw email address is not immediately available? If you are going to reallow reuse, the cooldown period has the be loooong, which doesn’t solve the “ooops I can has reactivate plz” problem at all.  Why would they ever not be reusable? The very idea of a username not getting freed when the corresponding account is deleted feels extremely bizarre to me.  @grishka@friends.grishka.me To make impersonation harder for example. Say a person leaves the server, and then another one creates a clone of their account. They then could scam other people or do damage to the reputation of the original owner. BunnyInAHat, but that could also happen if someone creates someone else's fake account on another server. That's what link verification is supposed to solve.  The reason many sites don't do this is that it can cause issues if there are references to the username. Tags within the platform as well as links from outside the platform would then direct users to the wrong account. I think it'd be doing more harm than good to allow username reuse.   amd, but the username is, like, one of the least important parts of the account when you're trying to confirm someone's identity  @dansup Perhaps the solution could be to have a "permanent" deletion mode where all content is deleted except for the username, email address, and password. So while no photos would remain, the user could still log in or reset their password.   @dansup this is a security/impersonation risk. if you do this, you should make them reclaimable only under specific restrictions, otherwise it's pretty dangerous. and watch out for things like delivery of inbox items that were pending or attempted during the deletion window, or resumption of any private access in either direction. those should probably not be available to recreated accounts. @dansup I just wish I could use the pixel fed android app to post photos, but it says pixelfed.social is running an old version of the software 😔 @rockylhotka Where did you get the app from? We have an updated build on our F-Droid and https://play.google.com/apps/testing/com.pixelfed @dansup I was installing it from GitHub I think. I just registered for the test app install, so once it is available I'll get it automatically? @rockylhotka You can download it once you join the beta, https://play.google.com/store/apps/details?id=com.pixelfed You should uninstall the currently installed Pixelfed app first! @dansup blocklists are a good example why reused usernames could cause difficulties. |
Gregory's Server
@dansup good idea!