Git itself treats all usernames as case-insensitive while preserving the case, lit on the other hand, preserves the case and treats the usernames as case sensitive, this is wrong.
For example, we see this issue in lit install, where lit install Username/package is not the same as lit install username/package (see previously reported #320).
Slightly more concerning cases are lit claim and lit share, where they try to match the Github username with the lit username directly, which might report a valid member name as invalid.
As far as I am aware, this should not report invalid names as valid, but it will report valid names as invalid, meaning it's safe and shouldn't be possible to hijack an existing username, because we depend on Github for verifying identity, and Github itself treats usernames as case-insensitive.
Git itself treats all usernames as case-insensitive while preserving the case, lit on the other hand, preserves the case and treats the usernames as case sensitive, this is wrong.
For example, we see this issue in
lit install, wherelit install Username/packageis not the same aslit install username/package(see previously reported #320).Slightly more concerning cases are
lit claimandlit share, where they try to match the Github username with the lit username directly, which might report a valid member name as invalid.As far as I am aware, this should not report invalid names as valid, but it will report valid names as invalid, meaning it's safe and shouldn't be possible to hijack an existing username, because we depend on Github for verifying identity, and Github itself treats usernames as case-insensitive.