← Back to context

Comment by thih9

2 months ago

> you can add .patch to any commit on GitHub to get the author’s unredacted email address

The article calls it a trick but to me it seems a bug. I can’t imagine github leaving that as is, especially after such blog post.

What’s the point of the “Keep my email addresses private” github option and “noreply” emails then?

11 comments

thih9

Reply
josephg  2 months ago

Yeah you’ve been able to do this for over a decade. They can’t really stop it:

- Git commits form an immutable merkel dag. So commits can’t be changed without changing all subsequent hashes in a git tree

- Commits by default embed your email address.

I suppose GitHub could hide the commit itself, and make you download commits using the cli to be able to see someone’s email address. Would that be any better? It’s not more secure. Just less convenient.

Vegenoid  2 months ago

Git (the version control program, not GitHub) associates the author’s email address with every single commit. The user of Git configures this email address. This isn’t secret information.

baobun  2 months ago

> What’s the point of the “Keep my email addresses private” github option and “noreply” emails then?

Those settings will affect what email shows up in commits.

In commits you vreate on other tooling you can configure a fake/alternate user.email address in gitconfig. Git (not just GitHub) needs some email address flr each commit but it is freetext.

There is one problem: commit signatures. For GitHub to consider a commit not created by github.com Web UI to be "verified" and get a green check mark, the following needs to hold:

- Commit is signed

- Commit email address matches a verified GH account email address

So you can not use a 'nocontact@thih9.example.com' address and get green checks on your commits - it needs to be an address that is at least active when you add it to your account.

dundarious  2 months ago

Run git show on any commit object, or look at the default output of git log, and you'll see the same. Your author name and email are always public. If you want, use a specific public address for those purposes.

  • ath3nd  2 months ago

    That is demonatratively not true on github and gitlab, both having the ability to set an email alias which redirects the messages to your real email without revealing it.

    https://docs.github.com/en/account-and-profile/how-tos/email...

    • dundarious  2 months ago

      I don't think you necessarily disagree with that I'm saying.

      1. git commits record an author name and email

      2. github/gitlab offer an email relay so you can choose to configure your git client (and any browser-based commits you generate) to record that as the email address

      3. github/gitlab do not rewrite your pushed commits to "sanitize" any "private" email addresses

      4. the .patch suffix "trick" just shows what was recorded in the commit

      When I said

      > If you want, use a specific public address for those purposes.

      that includes using the github/gitlab relay address -- but make sure to actually change your gitconfig, you can't just configure it on the web and be done.

conradev  2 months ago

You chose which email to commit with, and GitHub provides you an email you can use if you don’t want to expose your personal email.