By @ncoghlan in #6:

I came here to file an issue about handling the federated identity management problem (and noting how difficult that is without authenticated access to email addresses as a federated identifier), but given @cjslep's response above, I think this issue can serve that purpose :)

The first paragraph in the "How it works" section of https://docs.gitlab.com/ee/user/project/import/github.html gives the gist of the problem: in order for repos to map identities correctly, users currently either have to make their email addresses on each service public, or else authenticate with the importing service before the import happens.

Neither GitLab nor anyone else currently models the notion of an "unclaimed pseudonym" to track activity where a user ID on a remote service is known, but that remote identity isn't yet mapped to a local identity in a way that verifies that the same human is plausibly in control of both accounts.