
GitHub exposes everyone's email address in GIT commits - asjfkdlf
https://taylorhakes.com/posts/get-any-github-users-email-address/
======
pwg
This is not a github issue. A git commit object contains your email address.
This is a basic feature of git.

~~~
asjfkdlf
Yes, it is a GIT feature/issue. Github does nothing to protect users (by
default) from using their personal email in commits. It is definitely not well
known though because almost everyone is using their private email address. Go
to any big repo and you can see everyone's email.

This is more about education and changing a default.

~~~
slang800
This isn't a bug or a bad default - your email address was never supposed to
be private... that's how people contact you (besides the GitHub issues
system).

~~~
asjfkdlf
I strongly disagree. People don't appreciate unwanted email to their personal
accounts. That is why we don't put our email places where bots, recruiters,
etc can easily access it. You generally only want to give your email out to
sources that you want contacting you.

If you think people should only use an email address that they want to be
contacted with, that is where I am saying the issue lies. People signup to
Github, commit some code without knowing Github is giving their email out to
the world. You are arguing that is by design, but I am saying most people
don't understand it works that way. It's an education thing or change of
defaults.

~~~
pwg
> People signup to Github, commit some code without knowing Github is giving
> their email out to the world.

No - the correct statement is: "People signup to Github, commit some code
without [understanding that their local Git configuration] is giving their
email out to the world".

Github is not giving their email out - they are. Their email ends up in the
Git commit objects _on their local disk_, long before Github ever sees the
commits.

Don't blame Github, Github is not at fault. The users who don't configure
their system correctly are at fault. Github is just where those users
voluntarily publish their email address (when the publish the Git commit
objects that their local Git copy inserted their email address into). The
identical issue exists with _any_ internet Git hosting service.

The distinction is subtle, but important. You can argue 'education' all you
want, but your article blames Github, when it is not Github's fault, nor can
Github do anything about it (because changing the content of the commit
objects also changes their sha1 hash, making them _different_ commit objects,
and breaking the Git repository in the process).

> You are arguing that is by design,

It is by design, this is how Git works. Create an empty git repository on your
local machine, then make a test commit. Then look at the output of 'git log'.
The email address you told git to include will be part of the log output.
Why?, because it is part of the Git commit object on disk.

> but I am saying most people don't understand it works that way. It's an
> education thing or change of defaults.

Which is also fine, but your article is written as:

Github reveals your email addresses - they should stop doing so.

When the facts are:

You reveal your email address when you mis-configure Git and then push
something to an internet Git hosting service.

Place the 'blame' where it belongs (users mis-configuring their local Git
settings) rather than where it does not (Github).

------
voltagex_
If you have an open source project used by more than yourself, please don't
make yourself uncontactable. If you've abandoned the project, make it clear
that you have and if you're lucky enough to have an active fork, point to
that.

~~~
asjfkdlf
This isn't about contacting people or communicating the status of a Github
project. Github issues are fine way to communicate. If the repo owner isn't
responding to issues, I don't think sending email to someone's personal email
found through GIT commits is a good option. There is a reason we don't just
have everyone's personal email on their Github profile. People don't want spam
from people they don't know.

~~~
voltagex_
It's Git, not GIT.

Anyway, if you tick the keep my address private box on
[https://github.com/settings/emails](https://github.com/settings/emails), the
email field on your profile won't show.

I don't think this is a big issue.

------
proyb
It's not an issue, I have been using a separate email for all development
purposes. You should always separate your email addresses for different
purposes, that including my mobile contacts.

------
hairypotatocat
wait until he realizes that unsigned commits can be made to look like they're
from anyone...

------
sruffell
I feel like someone isn't fully groking the beauty of decentralized /
distributed version control systems...

