I do think there's a disconnect between which pieces of data people think are public vs. what is actually public. My git commit email was one of them. That's what I'm trying to illustrate in my post.
That's almost always correct :)
Unless you ignore the confirmation email that gets sent to you.
If you already have an email address in your GitHub account that you want to use for the purpose of linking commits but don't want to be usable for resetting passwords, and you've already verified it, you can delete the email address and then just add it back, and then delete the verification email that gets sent.
I've written to GitHub twice, once to their support address and once to their security address about it and they were pretty middle-of-the-road about it. But twitter has a big issue with fraudulent password resets so I wish they'd make it so only the primary email can be used for password resets, or provide a way to say which email addresses can be used for password resets.
I just tested it and successfully reset my password without ever verifying the new email address - so it's an open invitation for someone to hijack your account if you don't control the fake one.
Beats me what the purpose of the verification is.
Not as bad as I thought, but it still seems a bit questionable.
I think it's alright, and I think the problem could be largely solved by only allowing people to reset their passwords with their primary email addresses.
Today's new thing has been learned.
Last month a recruiter was able to get my email address me through this very mechanism. It immediately felt slimy to me and completely put me off the companies they were recruiting for.
If this becomes widespread people will start clocking their git commit email in the same way that they cloak their DNS email records.
I noticed something similar also for my dotfiles. My emacs config has my full name and email address (whereas the email address also includes the full name, again) in it (whereas my git commits use another, less directly connected name).
It doesn't really have to do with excessive paranoia (and by all means, it's not that hard to get to a full name from either address), but these are the small places where I tend to forget that information will (or: would) thus ultimately end up in public.
Please don't use fake email ids. That defeats the whole purpose of open source. Ofcourse, if you are working on something closed source, the email ids aren't public by definition; those git repository aren't public.