
GitMask – Develop Anonymously - josephscott
https://www.gitmask.com/
======
Ajedi32
For developers who truly care about anonymity, is relying on the server to
strip out personal information really a good idea?

If I were that paranoid, I feel like I'd greatly prefer a tool that strips
everything out on the client, then establishes a connection to your site via a
Tor hidden service which then publishes the PR.

Another concern; isn't this a potential avenue for spam? How long before
someone submits a bunch of spam PRs through the service and gets your Gitmask
user account banned on GitHub as a result?

~~~
analogj
To be honest, I wrote GitMask for myself. Yep,if anonymity is really important
to you, a VPN and/or TOR is required. GitMask just ensures that you don't
unintentionally leak personal info. GitMask is open source, so if you don't
trust _me_ to run it, just run it yourself.

Spam is a potential issue. All PR's reference gitmask.com so maintainers have
someone to message if they get flooded.

~~~
djsumdog
Are you worried about potential licensing issues? Some projects make
contributors agree to certain license contribution guidelines before they can
accept pull requests.

If there is a question about non-OSS code coming in from Gitmask in a lawsuit,
the affected project will most likely have to discard and rewrite all those
contributions.

------
analogj
woah, this is my project. Glad you guys find it interesting. I'm happy to
answer any questions you might have.

~~~
Cyberdog
Please stop overriding my browser's/OS's scrolling behavior. I know best how I
want to view your content. Thank you.

Also, the H in GitHub is capitalized.

~~~
analogj
fixed the capitalization. I'll have to figure out whats locking up the
scrollbar in the CSS though.

------
dbcurtis
I can see why this is attractive in some circumstances. I don't see how this
can be reconciled with copyright law. How can Anonymous Hacker show that they
have auhority to transfer a clean copyright in their contribution? If you
accept an anonymous patch, aren't you also accepting liability for all
possible encumbrances?

~~~
k__
In Germany you can't transfer your copyright.

I think an unknown crator would be the only way to make something that wasn't
"owned" by him/her in this case.

~~~
Klathmon
Out of curiosity, how does employment and contracting work in Germany?

If you pay me to make a software product, does it mean that I always keep the
copyright?

~~~
lima
You keep the copyright, but you give away all rights. It's mostly semantics -
the result is the same.

~~~
qznc
There are differences between Copyright and Urheberrecht (the german thing).

For example, under Urheberrecht an author can always revoke the rights of the
publisher, while under Copyright the rights are traded away and nothing
remains with the author.

In Germany you cannot buy stock photos and use them however you want. The
creator may sue you if he thinks he was not treated fairly.

Back to source code: No fear! If a programmer gives away source code knowingly
under an Open Source licence, it cannot be revoked since the terms of
publication are very clear. Still, there is no such concept as "giving
copyright to a foundation" under Urheberrecht.

In general, Copyright protects the publishers, while Urheberrecht protects the
creators.

~~~
dragonwriter
> For example, under Urheberrecht an author can always revoke the rights of
> the publisher, while under Copyright the rights are traded away and nothing
> remains with the author.

In copyright, transfers from authors can be reclaimed, though there is a
_specific_ 5-year time window (starting 35 years after the grant, basically)
for this to be exercised.

> In Germany you cannot buy stock photos and use them however you want. The
> creator may sue you if he thinks he was not treated fairly.

The US copyright system has a similar protection for creators of unique or
limited physical works of visual art, but it doesn't protect against
reproductions in derivative works or use of stock photos.

------
BinaryIdiot
Interesting project but I didn't see any information regarding data collection
and retention on your site. Granted that's unlikely to come up but in theory I
would imagine someone could subpoena your for information regarding who that
person was that created the PR, no?

Also curious how this does with, say, updating a PR.

~~~
analogj
Yeah, adding a privacy/retention policy would be a good idea.

Under the hood its pretty simple (and open source), just an AWS lambda
squashing the commits and stripping metadata before pushing to Github.
Potentially you could tie the commit to an IP address, but I'm not logging any
of that info.

I'm not really sure how I can prove that the code I'm running is the code
you'll find on GH though.

~~~
mappu
_> I'm not really sure how I can prove that the code I'm running is the code
you'll find on GH though._

I think this attestation is something Amazon (and other cloud providers) could
offer in the future - they're the only ones who can really prove it.

"I, Amazon AWS, do solemnly declare that the code running on {service} is {git
hash}"

~~~
BinaryIdiot
Only issue with that aspect is if they still allow configuration (I mean
they'd sorta have to) and what if you could exploit a testing configuration to
do whatever activity you want to hide? You could get the badge from AWS but
still do what you wanted.

Honestly not sure there is a good solution for that.

~~~
michaelmior
You could always have a script which strips down things to only necessary
configuration values for production and then generates a tarball that could be
verified. It seems like it would be possible to get down to a subset of
settings that could take on any value while still allowing you to trust the
service. Of course, if the settings don't have to be secret, they could also
just be baked in as well.

------
houli
Not sure that many OSS projects are going to be interested in merging a patch
where a conversation with the patch author for review/feedback can't happen

~~~
analogj
I get that, but at the same time, there's a ton of reasons why a developer
might not want their name attached to a bunch of code.

As a maintainer myself, I can respect that. If the PR is important enough, I'm
more than happy to merge it without knowing the author (with some additional
tweaking if necessary).

~~~
Walkman
Can you tell me one real example of why somebody would do that? I mean REAL,
not some random reason you just think of.

~~~
deanclatworthy
Legally questionable projects. There's plenty of projects on github which can
be used for nefarious purposes with disclaimers that it shouldn't be used as
such.

------
insomniacity
I like this, but it does make it difficult to discuss the PR. Perhaps you
could issue a private key or token in response to the POST and then add
comments with that key/token?

~~~
analogj
that's an interesting idea, thanks :)

------
f2n
I wonder how long that will last until GitHub bans them for (presumably)
massive amount of spam. The fact that it's PRs only, not just issues, makes it
a bit harder, but I can't imagine it'd be that hard to abuse

~~~
analogj
To be honest, I was worried about that as well. But it's been pretty good so
far. Gitmask always adds a comment in the PR mentioning where the PR is
comming from, so in the event of any projects/repos getting spammed, I can
hopefully disable PR's being opened against those projects.

~~~
sbarre
To that end, you may want to include a prominent note on the website about how
to report abusive activity and what your policy is for dealing with it.

Simply having that easily accessible may got a long way.

~~~
analogj
Good point.

~~~
datamingle
Could also rate limit 1 PR for a given repo per day. Perhaps even have a
queue.

~~~
analogj
I don't really want to go down the rate limit route quite yet, but it could be
an option.

------
ktpsns
I did not really understand the benefit in comparison with a sock-puppet
account linked to a throw-away e-mail address. That's the universal way for
any web registration form.

~~~
Sir_Substance
If you're not paying attention, git pulls information out of your OS and
sticks it into your git commits without asking you. It does at least tell you
it's done that, but it doesn't ask you before hand, it just goes ahead and
does it, then begs forgiveness. I see a lot of value in having a tool in my
workflow that strips all of that without my having to think about it.

~~~
anowlcalledjosh
> _git pulls information out of your OS and sticks it into your git commits
> without asking you_

Really? The only information I know of that gets into a commit is your name &
email and the current time, and the first two have to be configured before you
can commit.

~~~
Sir_Substance
It depends on whether it can pull your email address out of the OS.

If you're on a linux machine, usually it can't, so it pops up the "set your
global user and email" prompt without committing things.

If you're on a domain windows machine though, often it can. When that's the
case, it does the commit first, and then asks you to set the config
explicitly. You then swear, change the config to be blank, and then go amend
the commit you just made.

In any case, the whole thing is a pain that adds mental overhead I'd rather
spend on programming.

------
shykes
This is fantastic. I have been doing all my personal open-source work
anonymously, and it requires a surprising amount of tooling to get it right. I
will give gitmask a try.

~~~
Walkman
May I ask why? Why did you feel you have to hide your identity?

~~~
hnzix
Why should they disclose their identity and leave a permanent digital
footprint? Some of us are private people by nature. Some of us have stalkers,
sensitive employment situations etc.

I miss the pseudonym era of the internet. Uploading my nudes to Facebook so
they can ID me is so dystopian.

------
bitL
For proper anonymization, you need to change code/naming style.
Codestylommetry can easily identify most developers. Ideally, an obfuscator
generates some "private key" that would guide it how exactly it should
change/reverse change upon push/pull so that public repo has anonymized code
whereas developer the real one. However, it won't work for multi-developer
projects.

~~~
analogj
I think that's pushing past the goals of GitMask. As much as possible I want
to leave the code as is, as the developer intended, while stripping all
personally identifiable information and metadata.

------
JoshTriplett
> Just because you think DICSS is amusing, doesn't mean you want your boss to
> know about it. How about your girlfriend?

It's 2018. Dick jokes and "your girlfriend" examples have no place in software
engineering, not that they ever did. That holds doubly true for a project
whose target audience potentially includes people who have reasons to protect
their identity.

As potentially better examples: contributions to the bitcoin repository tend
to result in spam from random people who think that the list of every
contributor to bitcoin is the right list to send random cryptocurrency spam
to. Or, you might want to contribute to the https-everywhere repository
without revealing sensitive sites you're contributing entries for.
("Potentially sensitive" here could mean a wide variety of things, such as
sites for sufferers of a particular medical condition, sites for organizations
whose members regularly get targeted, etc.)

~~~
analogj
Fair enough, the examples could use some work. I kinda just threw the landing
page together without thinking about it much.

I'll take another pass at it.

~~~
18nleung
Unrelated to the GP, but I really like the design of the landing page — did
you put it together yourself?

------
carussell
This is cool. I've been looking for an "open relay" to help with collaborating
on GitHub-hosted projects that's easier than doing account resets.[1] I'll
check it out later.

Side note: the Git project is enforcing the Git trademark now.[2] If you want
to use "Git" for your branding, you'll need to get approval.

1\. [https://www.colbyrussell.com/2016/02/13/keeping-a-low-
profil...](https://www.colbyrussell.com/2016/02/13/keeping-a-low-profile-on-
github.html)

2\. [https://public-
inbox.org/git/20170202022655.2jwvudhvo4hmueaw...](https://public-
inbox.org/git/20170202022655.2jwvudhvo4hmueaw@sigill.intra.peff.net/)

~~~
f2n
>If you have an account and you're participating in a project in any way
through github.com, you're part of its social network.

What part of GitHub does this person have a problem with? It's entirely
unclear what they mean by social network. Is that like, showing the commits
you make on your profile? Having a page that shows what you've worked on at
all? This seems like good ways to be difficult to work with in open source
projects for zero benefit.

~~~
carussell
The person who wrote that post is me.

> Is that like, showing the commits you make on your profile?

Yes.

> Having a page that shows what you've worked on at all?

Yes.

> This seems like good ways to be difficult to work with in open source
> projects

First, open source doesn't start and end with GitHub.

Second, I prefer not to publish anything to Facebook or Twitter feeds, either.
That's a position that folks seem to find palatable. (In fact, it's one that
programmers appear to be disproportionately sympathetic to.) I don't see why
it shouldn't remain so if the subject of the conversation is GitHub.

> for zero benefit

Opting out of the same kinds of personal broadcasting on GitHub isn't "zero
benefit" to me. And if it is zero-benefit, it means the service linked here is
zero-value. I feel differently. We don't have to agree.

~~~
f2n
>First, open source doesn't start and end with GitHub.

I didn't mean to imply it is, but if an open source project finds it easier to
use one platform (such as github), trying to subvert that by emailing patches
sounds like a very annoying thing to do. It seems similar to submitting pull
requests to the Linux Kernel on GitHub, which explicitly requests that you
submit patches on the mailing list.

~~~
carussell
I'm not here to defend arguments I never made.

------
mr_scrapey
Throwaway account:

I enjoy scraping GitHub user data and have found it a great goldmine of data.

95% of the time I can recover an email address for a user based on their
commits, even when the email is not publicly visible on GitHub.

Very insecure.

~~~
kemiller2002
A few years ago I watched a security talk where the spearker showed how much
sensitive info was in Github. There was an amazing number of passwords, and
what really surprised me was that a number of them realized after they pushed
the sensitive data what they did and tried to delete it. . . . . they also
thought simply committing over it was the way to delete it. It is possible
that several of these companies did the correct thing and changed the password
after they realized their mistake, but I have a feeling not.

------
quadrangle
yet another site that won't even show anything without JavaScript. :(

Even though it's only static images and text!…

------
fishywang
I don't understand it.

If you are a project maintainer on GitHub, how could you accept a PR from an
anonymous user? Let's say you accepted it, and later some company said that
the code from that PR is "stolen" from their code base, and that's true, how
do you deal with that?

~~~
deanclatworthy
There's absolutely no way for you to verify that code submitted as a PR isn't
stolen, anonymous or not. Even if I created an account with a legitimate
identity and submitted a PR to your project which you accepted and then found
out was stolen, what can you do about it? Slap on the wrist and move on.

I hate the idea of having an identity on github. I don't want to be contacted
for support, and I don't want my email being harvested by spam bots and
recruiting agencies (both of which has happened).

~~~
fishywang
The absolute solution for that is force contributors to sign CLA, and I don't
think there's a way to sign that anonymously.

I know a lot of smaller projects won't bother with CLA, but their maintainers
can still assess the possibility of stolen code and act accordingly. If I'm a
maintainer and the possibility of an incoming PR is stolen (the complexity of
the PR, basically) is high enough, I would look at the information associated
with the contributor (the GitHub account, the email address, etc.). If it's
someone contribute a lot to other open source projects I would be more likely
to accept it.

Actually on second thought, GitHub really should provide free CLA management
service to all its users: you (as a project maintainer) can enable CLA
requirement on your project, once enabled a GitHub-run CLA bot will ask new
contributors sign a CLA in their first PR, and you can get all the signed CLAs
when needed. If GitLab or BitBucket provide this feature before GitHub I'll
move my projects over in a heartbeat.

------
cracell
Interesting idea but this part made me cringe

"Just because you think DICSS is amusing, doesn't mean you want your boss to
know about it. How about your SO?"

If you are writing code you need to hide from your SO you have some serious
relationship problems.

~~~
odammit
Never heard of DICSS, very disappointed there isn’t a CODE_OF_CONDUCT.md.

~~~
djsumdog
Makes me think of C Plus Equality:

[https://github.com/ErisBlastar/cplusequality](https://github.com/ErisBlastar/cplusequality)

------
vivaladav
This is the dumbest thing I have seen on the front page of HN in a long time.

If I really wanted to be anonymous on GitHub I'd create a "fake" account/would
not use my name.

~~~
cutcss
To create a fake account you need a fake email as well and configure git to
not include your email; so I can see some value in this proposition.

------
Fnoord
Without accountability, how would you combat hidden backdoors in code? Doesn't
accountability reduce the risk for hidden backdoors?

~~~
Thiez
What does accountability have to do with anything? Do you think GitHub
verifies who you are when you sign up? They don't. Even if they did, a person
introducing backdoors may not even live in a jurisdiction where this is
illegal, or where you have any chance of sueing them. Do you think the data in
a git commit is accurate? You can put anybody's name and email address there,
and any date you like.

Please explain which part of this project ensures _even less_ accountability
than accepting code from a newly created GitHub account.

In addition, I would love to hear how you would hold someone introducing a
backdoor through a GitHub PR accountable even if you know exactly who they
are, where they live, and have a video of them opening the pr, and a signed
confession.

~~~
Fnoord
Fair enough Thiez, the difference between the current situation with and
without GitMask isn't a whole lot.

The only difference is that GitMask invites more anonymous developers. Whether
that is in the interest of other (anonymous and/or non-anonymous) developers
and users is a matter of perspective, and case-by-case hindsight 20/20.

As for holding someone who's known accountable for their mistakes. That's the
entire point of using your real name when it comes to professional work: it
increases accountability.

------
mraza007
This is so cool I love this

------
lima
What's the point? Just make an anonymous GitHub account, they have no real
name policy, after all.

Participation in discussions is a necessity for most interactions with an open
source community.

------
wybiral
This webpage just shows a loading spinner with JS disabled. And after the
recent bugs I intend to keep noscript on for some time.

EDIT: Just saying, if you link to a main page... Make it accessible. Most
serious privacy advocates probably have JS disabled by default.

~~~
djsumdog
I agree. Javascript should be required for simple static content.

~~~
kiwijamo
Did you mean shouldn't be required?

