

Remember: your git commit email is public - davefp
http://theflyingdeveloper.com/your-git-commit-email-is-public

======
marssaxman
Uh, no. Git commit messages which are stored in public repositories such as
Github are public, because public repositories are public. Git commit messages
which are stored in private repositories are private. Git commit messages have
the same access restrictions as the repositories which contain them. Duh?

~~~
davefp
Absolutely. I should probably have clarified that.

I do think there's a disconnect between which pieces of data people think are
public vs. what is actually public. My git commit email was one of them.
That's what I'm trying to illustrate in my post.

~~~
marssaxman
Gotcha. Fair enough. Perhaps I shouldn't have said "duh".

~~~
MartinCron
_Perhaps I shouldn't have said "duh"_

That's almost always correct :)

~~~
Dylan16807
I don't know, 'duh' is a good term for that feeling when you realize something
you should have realized a long time ago.

------
vsbuffalo
See Github's setup tip on configuring a fake email address:
[https://help.github.com/articles/keeping-your-email-
address-...](https://help.github.com/articles/keeping-your-email-address-
private)

~~~
davefp
Thanks for the link, I've updated the post :)

------
benatkin
Also your git commit email needs to be added to your GitHub account for it to
link to your GitHub account. And then it can be used to reset your passwords.
So you'd better make sure you pick one that you're in control of.

Unless you ignore the confirmation email that gets sent to you.

If you already have an email address in your GitHub account that you want to
use for the purpose of linking commits but don't want to be usable for
resetting passwords, and you've already verified it, you can delete the email
address and then just add it back, and then delete the verification email that
gets sent.

I've written to GitHub twice, once to their support address and once to their
security address about it and they were pretty middle-of-the-road about it.
But twitter has a big issue with fraudulent password resets so I wish they'd
make it so only the primary email can be used for password resets, or provide
a way to say which email addresses can be used for password resets.

~~~
socillion
> Also your git commit email needs to be added to your GitHub account for it
> to link to your GitHub account. And then it can be used to reset your
> passwords. So you'd better make sure you pick one that you're in control of.

I just tested it and successfully reset my password _without ever verifying
the new email address_ \- so it's an open invitation for someone to hijack
your account if you don't control the fake one.

Beats me what the purpose of the verification is.

~~~
benatkin
Also at least one of GitHub's employees has an email address from a company
that he used to work for. This just shows that not everyone who signs up for
GitHub uses an email address that's under their control.
[https://github.com/github/linguist/commit/99c296264ab320d41c...](https://github.com/github/linguist/commit/99c296264ab320d41c6737b679cb57e005ed2ffa.patch)

~~~
socillion
Correction: it's actually only possible to use an unverified email to reset
the password if you don't have any verified emails on the account.

Not as bad as I thought, but it still seems a bit questionable.

~~~
benatkin
Ah...makes sense.

I think it's alright, and I think the problem could be largely solved by only
allowing people to reset their passwords with their primary email addresses.

------
lifthrasiir
I don't mind particularly whether my email is public or not, but it is
definitely useful to know how the sender knew/collected my email address. For
that purpose I'm using two addresses: public+{hg,git} at my domain. I have
bunches of other addresses of the form pubilc+<service> at my domain, and some
of the form public.<service> at my domain (as <service> stupidly refused to
accept an email address with +).

~~~
asperous
Some spammy things throw away the + because they know they are optional.
Having your own domain is nice because you can set it up to make
<anything>@yourdomain.com work.

~~~
lifthrasiir
Actually I do. ;) Also, public at my domain is separate from my "official"
email addresses so I can reasonably expect emails from public at my domain are
results of automatic crawling.

~~~
asperous
Smart!

------
obviouslygreen
Definitely made me laugh at myself, as I certainly hadn't thought about
this... after the initial "oh crap" moment, further analysis revealed that I
don't particularly care.

Today's new thing has been learned.

------
remi
Correction: your git commit email (used in public repositories) is public.

~~~
davefp
Yes, indeed. That's an important clarification.

------
signed0
This seems like a great way for a recruiter to alienate someone they are
hoping to recruit.

Last month a recruiter was able to get my email address me through this very
mechanism. It immediately felt slimy to me and completely put me off the
companies they were recruiting for.

If this becomes widespread people will start clocking their git commit email
in the same way that they cloak their DNS email records.

------
rmk2
I think this brings up a good point, not just regarding git, but also in
general.

I noticed something similar also for my dotfiles. My emacs config has my full
name and email address (whereas the email address _also_ includes the full
name, again) in it (whereas my git commits use another, less directly
connected name).

It doesn't really have to do with excessive paranoia (and by all means, it's
not that hard to get to a full name from either address), but these are the
small places where I tend to forget that information will (or: would) thus
ultimately end up in public.

------
artagnon
git was built for linux.git. A tool for developers on the linux community to
collaborate. Ofcourse the email ID is public: if someone finds a bug, they
should be able to send a patch to the maintainer right away.

Please don't use fake email ids. That defeats the whole purpose of open
source. Ofcourse, if you are working on something closed source, the email ids
aren't public by definition; those git repository aren't public.

~~~
mcintyre1994
I don't think this is really an issue any more, even Linux itself has its
source on Github now. There's almost certainly alternative, arguably better
ways of contacting the maintainer of a public repository now.

------
jefe78
I tried sending you an email but there seems to be a problem with the MX
record associated with your domain. Mail is being rejected.

~~~
davefp
Oops. Thanks for the heads up on the DNS issue. Should be fixed now. I'll
respond to your email shortly.

~~~
jefe78
No worries. Happens to the best of us! Looking forward to your reply. Sorry
about the forwardness of it.

------
ar4s
wow... any chance this is the reason I've suddenly started getting pounded
with "work in america!" emails? (I'm Canadian, and probably not the
demographic they are trying to target)

------
cinquemb
You can also access the links using digits
ex.[<https://api.github.com/users/6/events/public>], so I could see someone
running easily mining each page for email addresses and names for their
recruiting bot… pretty interesting stuff.

