Hacker News new | comments | ask | show | jobs | submit login
Remember: your git commit email is public (theflyingdeveloper.com)
55 points by davefp on May 21, 2013 | hide | past | web | favorite | 29 comments

Uh, no. Git commit messages which are stored in public repositories such as Github are public, because public repositories are public. Git commit messages which are stored in private repositories are private. Git commit messages have the same access restrictions as the repositories which contain them. Duh?

Absolutely. I should probably have clarified that.

I do think there's a disconnect between which pieces of data people think are public vs. what is actually public. My git commit email was one of them. That's what I'm trying to illustrate in my post.

Gotcha. Fair enough. Perhaps I shouldn't have said "duh".

Perhaps I shouldn't have said "duh"

That's almost always correct :)

I don't know, 'duh' is a good term for that feeling when you realize something you should have realized a long time ago.

See Github's setup tip on configuring a fake email address: https://help.github.com/articles/keeping-your-email-address-...

Thanks for the link, I've updated the post :)

Also your git commit email needs to be added to your GitHub account for it to link to your GitHub account. And then it can be used to reset your passwords. So you'd better make sure you pick one that you're in control of.

Unless you ignore the confirmation email that gets sent to you.

If you already have an email address in your GitHub account that you want to use for the purpose of linking commits but don't want to be usable for resetting passwords, and you've already verified it, you can delete the email address and then just add it back, and then delete the verification email that gets sent.

I've written to GitHub twice, once to their support address and once to their security address about it and they were pretty middle-of-the-road about it. But twitter has a big issue with fraudulent password resets so I wish they'd make it so only the primary email can be used for password resets, or provide a way to say which email addresses can be used for password resets.

> Also your git commit email needs to be added to your GitHub account for it to link to your GitHub account. And then it can be used to reset your passwords. So you'd better make sure you pick one that you're in control of.

I just tested it and successfully reset my password without ever verifying the new email address - so it's an open invitation for someone to hijack your account if you don't control the fake one.

Beats me what the purpose of the verification is.

Also at least one of GitHub's employees has an email address from a company that he used to work for. This just shows that not everyone who signs up for GitHub uses an email address that's under their control. https://github.com/github/linguist/commit/99c296264ab320d41c...

Correction: it's actually only possible to use an unverified email to reset the password if you don't have any verified emails on the account.

Not as bad as I thought, but it still seems a bit questionable.

Ah...makes sense.

I think it's alright, and I think the problem could be largely solved by only allowing people to reset their passwords with their primary email addresses.

I don't mind particularly whether my email is public or not, but it is definitely useful to know how the sender knew/collected my email address. For that purpose I'm using two addresses: public+{hg,git} at my domain. I have bunches of other addresses of the form pubilc+<service> at my domain, and some of the form public.<service> at my domain (as <service> stupidly refused to accept an email address with +).

Some spammy things throw away the + because they know they are optional. Having your own domain is nice because you can set it up to make <anything>@yourdomain.com work.

Actually I do. ;) Also, public at my domain is separate from my "official" email addresses so I can reasonably expect emails from public at my domain are results of automatic crawling.


Correction: your git commit email (used in public repositories) is public.

Yes, indeed. That's an important clarification.

Definitely made me laugh at myself, as I certainly hadn't thought about this... after the initial "oh crap" moment, further analysis revealed that I don't particularly care.

Today's new thing has been learned.

This seems like a great way for a recruiter to alienate someone they are hoping to recruit.

Last month a recruiter was able to get my email address me through this very mechanism. It immediately felt slimy to me and completely put me off the companies they were recruiting for.

If this becomes widespread people will start clocking their git commit email in the same way that they cloak their DNS email records.

I think this brings up a good point, not just regarding git, but also in general.

I noticed something similar also for my dotfiles. My emacs config has my full name and email address (whereas the email address also includes the full name, again) in it (whereas my git commits use another, less directly connected name).

It doesn't really have to do with excessive paranoia (and by all means, it's not that hard to get to a full name from either address), but these are the small places where I tend to forget that information will (or: would) thus ultimately end up in public.

git was built for linux.git. A tool for developers on the linux community to collaborate. Ofcourse the email ID is public: if someone finds a bug, they should be able to send a patch to the maintainer right away.

Please don't use fake email ids. That defeats the whole purpose of open source. Ofcourse, if you are working on something closed source, the email ids aren't public by definition; those git repository aren't public.

I don't think this is really an issue any more, even Linux itself has its source on Github now. There's almost certainly alternative, arguably better ways of contacting the maintainer of a public repository now.

I tried sending you an email but there seems to be a problem with the MX record associated with your domain. Mail is being rejected.

I guess that's one way of dealing with the problem...

Oops. Thanks for the heads up on the DNS issue. Should be fixed now. I'll respond to your email shortly.

No worries. Happens to the best of us! Looking forward to your reply. Sorry about the forwardness of it.

wow... any chance this is the reason I've suddenly started getting pounded with "work in america!" emails? (I'm Canadian, and probably not the demographic they are trying to target)

You can also access the links using digits ex.[https://api.github.com/users/6/events/public], so I could see someone running easily mining each page for email addresses and names for their recruiting bot… pretty interesting stuff.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact