Hacker News new | past | comments | ask | show | jobs | submit login
GitHub exposes everyone's email address in GIT commits (taylorhakes.com)
4 points by asjfkdlf on Feb 8, 2016 | hide | past | favorite | 12 comments

This is not a github issue. A git commit object contains your email address. This is a basic feature of git.

Yes, it is a GIT feature/issue. Github does nothing to protect users (by default) from using their personal email in commits. It is definitely not well known though because almost everyone is using their private email address. Go to any big repo and you can see everyone's email.

This is more about education and changing a default.

No, it isn't github's fault or git issue. All commit metadata is used to generate (and verify) the commit hash. This is basic git functionality. If you somehow hide this piece of information, you make that repo not only unverifiable but also incompatible with any other clone, including the one in your local machine. You wouldn't be able to push to github.

The only issue here is not realizing the email field in the git config doesn't need to be your personal one or even real. And I agree more people should know this, but this is not something github or git needs to fix in any way.

This isn't a bug or a bad default - your email address was never supposed to be private... that's how people contact you (besides the GitHub issues system).

I strongly disagree. People don't appreciate unwanted email to their personal accounts. That is why we don't put our email places where bots, recruiters, etc can easily access it. You generally only want to give your email out to sources that you want contacting you.

If you think people should only use an email address that they want to be contacted with, that is where I am saying the issue lies. People signup to Github, commit some code without knowing Github is giving their email out to the world. You are arguing that is by design, but I am saying most people don't understand it works that way. It's an education thing or change of defaults.

> People signup to Github, commit some code without knowing Github is giving their email out to the world.

No - the correct statement is: "People signup to Github, commit some code without [understanding that their local Git configuration] is giving their email out to the world".

Github is not giving their email out - they are. Their email ends up in the Git commit objects _on their local disk_, long before Github ever sees the commits.

Don't blame Github, Github is not at fault. The users who don't configure their system correctly are at fault. Github is just where those users voluntarily publish their email address (when the publish the Git commit objects that their local Git copy inserted their email address into). The identical issue exists with _any_ internet Git hosting service.

The distinction is subtle, but important. You can argue 'education' all you want, but your article blames Github, when it is not Github's fault, nor can Github do anything about it (because changing the content of the commit objects also changes their sha1 hash, making them _different_ commit objects, and breaking the Git repository in the process).

> You are arguing that is by design,

It is by design, this is how Git works. Create an empty git repository on your local machine, then make a test commit. Then look at the output of 'git log'. The email address you told git to include will be part of the log output. Why?, because it is part of the Git commit object on disk.

> but I am saying most people don't understand it works that way. It's an education thing or change of defaults.

Which is also fine, but your article is written as:

Github reveals your email addresses - they should stop doing so.

When the facts are:

You reveal your email address when you mis-configure Git and then push something to an internet Git hosting service.

Place the 'blame' where it belongs (users mis-configuring their local Git settings) rather than where it does not (Github).

If you have an open source project used by more than yourself, please don't make yourself uncontactable. If you've abandoned the project, make it clear that you have and if you're lucky enough to have an active fork, point to that.

This isn't about contacting people or communicating the status of a Github project. Github issues are fine way to communicate. If the repo owner isn't responding to issues, I don't think sending email to someone's personal email found through GIT commits is a good option. There is a reason we don't just have everyone's personal email on their Github profile. People don't want spam from people they don't know.

It's Git, not GIT.

Anyway, if you tick the keep my address private box on https://github.com/settings/emails, the email field on your profile won't show.

I don't think this is a big issue.

It's not an issue, I have been using a separate email for all development purposes. You should always separate your email addresses for different purposes, that including my mobile contacts.

wait until he realizes that unsigned commits can be made to look like they're from anyone...

I feel like someone isn't fully groking the beauty of decentralized / distributed version control systems...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact