Does Git publicly expose my e-mail address?
Asked Answered
M

9

142

The guides I've read so far on Git say that I should go into the config and specify my name and my e-mail address. They don't elaborate; they just say to do it.

Why does Git need my e-mail address? And, more importantly, if I make my repo publicly available, via GitHub for example, will my e-mail address be visible to everyone (including spambots)?

Monstrous answered 22/5, 2009 at 12:24 Comment(2)
I think this is a valid (although non-technical) question about a programming related tool - like lots of other questions on SO - and doesn't deserve to be downvoted as "not-programming-related".Horripilation
GitHub now (August 2013) allows you to keep your email address private! See my answer below. You can register a fake email address too, in order to not use it in the commits you are pushing to GitHub.Hammond
A
47

Git uses your email address to identify you, as well as do other tasks (such as sign a tag with a GPG key). Your email address does get embedded as part of your identity in commit logs, etc., along with the name you specify. For example, the "author" field in a commit log would show up as:

Author: Joe White <[email protected]>

So the information is available to anyone with a copy of the repo, since it acts as an identifier.

Your email probably won't be visible to spambots, though, unless you use Gitweb, or a service like GitHub, to make your repo available through a web interface (merely putting it on the Internet doesn't do this).

I suppose you could fill in a fake email address or use an empty string or space or something (I don't think Git checks the format or validity of the email), but the email is useful if someone who clones the repo needs to send you a patch or contact you in some way.

Anarch answered 22/5, 2009 at 12:29 Comment(5)
Arguably github, gitweb et al should have an option for obscuring email addresses just like mailing list archive viewers do. Although it being a valid email address is just a convention, tools like 'git send-email' are written assuming that it's true (automatically cc'ing patch authors, for instance)Credits
You can configure git to use other identity that the one given by user.name and user.email for GPG key for signing tagsSlowworm
Older centralized version control systems use "username" for identifying author of a commit (of a change). Name + email is good identity; it doesn't need to be real email though.Slowworm
GitHub has an update where you can use a fake e-mail address linked to your profile - https://mcmap.net/q/161541/-cannot-verify-fake-email-in-githubDayan
GitHub can remember even PR commits on a deleted branch that were merged sing rebase (and so, do not expose the email/name anywhere in the repo except on the PR web page). If the PR was merged, I don't know any way to reverse the commits (if it is still open you can rebase and force push).Lombardy
H
64

Update April 2017

See "Private emails, now more private"

GitHub has supported using an alternate "noreply" email address to author web-based commits for a while now. Starting today, there's another way to ensure you don't inadvertently publish your email address when pushing commits to GitHub via the command line.

Git uses your email address to associate your name to any commits you author. Once you push your commits to a public repository on GitHub, the authorship metadata is published as well.

If you'd like to ensure you don't accidentally publish your email address, simply check the "Keep my email address private" and "Block command line pushes that expose my email" options in your email settings.

https://static.mcmap.net/file/mcmap/ZG-AbGLDKwfjaFf0XC2nZ7-ocVI0bRywWRfQcFyQcC2jaRA/assets/33750/24673856/a995cb74-1947-11e7-8653-65bc604a4101.png

Note: as commented below by orev, Git doesn't expose anything. GitHub, a Git repositories hosting service, might.
The place where you are pushing your local Git repo can expose metadata.


Note: Starting August, 9th 2013, you now can keep your email address private!

That is for web-based GitHub operations though: the commits still contain an email address, which could or could not be the same than the one used for your GitHub account.
See below to "mask" that (git commit) email too.

Until today, all web-based GitHub Flow used your primary email address. This includes creating, editing, and deleting files, as well as merging pull requests.

But now you can keep your email address private. To do so, visit your email settings page:

email settings

With this turned on, web-based operations will use a [email protected] email address.


If you want to hide your email made from your computer, GitHub now allows you to register different email addresses: see this guide.

You still need to configure your (fake) email in your local repo before pushing back to GitHub, if you want your commits to reflect

git config --global user.email "[email protected]" # Set email to slightly changed value
git config --global user.email # Verify the setting
# [email protected]

Then:

  • Go to the Emails setting menu
  • Click "Add another email address"
  • Enter the fake email (e.g. "[email protected]") and click "Add"

add new email address

Note that:

This setting only affects future commits.
If you want to erase your real email address from your repository's commit history, you will have to rewrite your old commits. The easiest way to do this is to:

Use git filter-branch to rewrite the repository history and Force-push the new history up.

Hammond answered 12/8, 2013 at 11:41 Comment(4)
This is useful to know, however I think it should be very clear that GitHub is not the same a git. git is a general purpose, open source, revision control tool, while GitHub is a web site that allows you to publish a git repository. GitHub did not create git, they just happen to have created a very nice web site that works well with it.Leukoderma
@Leukoderma Good point. I have included that warning in the answer.Hammond
@VonC, Wasn't the setting (re "But now you can keep your email address private. To do so") checked by default?Palliasse
@Palliasse Not according to this guide.Hammond
A
47

Git uses your email address to identify you, as well as do other tasks (such as sign a tag with a GPG key). Your email address does get embedded as part of your identity in commit logs, etc., along with the name you specify. For example, the "author" field in a commit log would show up as:

Author: Joe White <[email protected]>

So the information is available to anyone with a copy of the repo, since it acts as an identifier.

Your email probably won't be visible to spambots, though, unless you use Gitweb, or a service like GitHub, to make your repo available through a web interface (merely putting it on the Internet doesn't do this).

I suppose you could fill in a fake email address or use an empty string or space or something (I don't think Git checks the format or validity of the email), but the email is useful if someone who clones the repo needs to send you a patch or contact you in some way.

Anarch answered 22/5, 2009 at 12:29 Comment(5)
Arguably github, gitweb et al should have an option for obscuring email addresses just like mailing list archive viewers do. Although it being a valid email address is just a convention, tools like 'git send-email' are written assuming that it's true (automatically cc'ing patch authors, for instance)Credits
You can configure git to use other identity that the one given by user.name and user.email for GPG key for signing tagsSlowworm
Older centralized version control systems use "username" for identifying author of a commit (of a change). Name + email is good identity; it doesn't need to be real email though.Slowworm
GitHub has an update where you can use a fake e-mail address linked to your profile - https://mcmap.net/q/161541/-cannot-verify-fake-email-in-githubDayan
GitHub can remember even PR commits on a deleted branch that were merged sing rebase (and so, do not expose the email/name anywhere in the repo except on the PR web page). If the PR was merged, I don't know any way to reverse the commits (if it is still open you can rebase and force push).Lombardy
L
13

GitHub has a help article called Keeping your email address private, which begins:

Git requires you to identify yourself in order to make commits, but you can hide your contact information by using a fake address. Git itself doesn't care if the email is valid.

Good to know: Although Git does not care, some projects might not accept contributions from you if your commits do not have a valid email address, so you will want to research your project's contribution policies before following these instructions.

GitHub does not get many reports of spam being sent to Git commit email addresses, but if you are worried about it, this guide should help you address those concerns.

The guide contains steps how to configure both Git and GitHub to use a fake address.

Lobule answered 5/9, 2012 at 17:54 Comment(1)
I am getting a lot of spam to my GitHub commit e-mail address. I use a dedicated one for that.Dahle
A
9

Millions of GitHub commit emails "leaked"

https://github.com/cirosantilli/all-github-commit-emails extracted from GitHub Archives https://www.githubarchive.org exports commit.

GitHub Archive gets data from GitHub's events API: https://developer.github.com/v3/activity/events/types/#pushevent and exports it to Google BigQuery hourly which makes it easier to query.

Emails used to be shown on events of type PushEvent, but they stopped after I did this.

I don't think commit emails show anywhere on GitHub's web interface (except the email you set in your GitHub profile, and that only shows for logged in users as of 2022), so any collection is limited by the API rate limiting. TODO: how much time to collect 1M emails via API from scratch.

Practical way to get someone's commit email with the API

ghmail() { curl "https://api.github.com/users/$1/events/public" | grep email; }
ghmail cirosantilli

or visit: https://api.github.com/users/cirosantilli/events/public

There are also:

The Git commit data structure has an explicit author and committer email field

Shown at: What is the file format of a git commit object data structure?

Therefore it is clear that this information is added to commits by default.

Aarika answered 8/9, 2015 at 11:21 Comment(0)
C
8

Yes, the above answers are correct ... except you want to typically have the same email address for all your projects then you would use the command:

git config --global user.email "[email protected]"

You can also edit the .gitconfig file in your home directory, in the user section.

You can specify a different email for a particular project by doing the same command without the global option.

Also, I suggest that you can obfuscate your email if the submits are going to a public area:

briancolfer(at)comcast.net

As an example.

Chirlin answered 22/5, 2009 at 12:24 Comment(0)
W
6

You can retroactively change the author name, email etc. BEWARE that doing the following can corrupt your history.

#!/bin/sh

git filter-branch --env-filter '

an="$GIT_AUTHOR_NAME"
am="$GIT_AUTHOR_EMAIL"
cn="$GIT_COMMITTER_NAME"
cm="$GIT_COMMITTER_EMAIL"

if [ "$GIT_COMMITTER_EMAIL" = "[email protected]" ]
then
    cn="Your New Committer Name"
    cm="Your New Committer Email"
fi
if [ "$GIT_AUTHOR_EMAIL" = "[email protected]" ]
then
    an="Your New Author Name"
    am="Your New Author Email"
fi

export GIT_AUTHOR_NAME="$an"
export GIT_AUTHOR_EMAIL="$am"
export GIT_COMMITTER_NAME="$cn"
export GIT_COMMITTER_EMAIL="$cm"
'

Taken from here

Wyn answered 12/5, 2012 at 16:5 Comment(0)
B
5

GitHub has a help section about setting your email address.

Specifically it says:

Good to know: You don't have to give a valid email. If you're concerned about spam, use a fake email instead. [email protected] is a common practice.

Boggs answered 16/1, 2013 at 14:48 Comment(0)
F
4

Yes, your email address (as specified in git config user.email) will be visible in web interfaces like GitWeb. Also everybody can learn your email address by cloning your repository though this is probably still far beyond spambots. Nobody forces you to use a real email address, though. Git will automatically set a constructed email address if none is given. On my machine without user.email it shows commits by “Foo <foo@daughter.(none)>”.

Fries answered 22/5, 2009 at 12:30 Comment(0)
H
2

if I make my repo publicly available, via GitHub for example, will my e-mail address be visible to everyone

Note: you can also make your repository locally available, through a local gitweb (web frontend to Git repositories, packaged with a regular Git distribution, and which can be installed with git instaweb).

And with Git 2.32 (Q2 2021), "gitweb" learned "e-mail privacy" feature to redact strings that look like e-mail addresses on various pages.

See commit 0996dd3 (28 Mar 2021) by Georgios Kontaxis (kontaxis).
(Merged by Junio C Hamano -- gitster -- in commit a9414b8, 13 Apr 2021)

gitweb: add "e-mail privacy" feature to redact e-mail addresses

Signed-off-by: Georgios Kontaxis
Acked-by: Eric Wong
Acked-by: Ævar Arnfjörð Bjarmason

Gitweb extracts content from the Git log and makes it accessible over HTTP.
As a result, e-mail addresses found in commits are exposed to web crawlers and they may not respect robots.txt.
This can result in unsolicited messages.

Introduce an 'email-privacy' feature which redacts e-mail addresses from the generated HTML content.
Specifically, obscure addresses retrieved from the the author/committer and comment sections of the Git log.
The feature is off by default.

This feature does not prevent someone from downloading the unredacted commit log, e.g., by cloning the repository, and extracting information from it.
It aims to hinder the low- effort, bulk collection of e-mail addresses by web crawlers.

gitweb.conf now includes in its man page:

email-privacy

Redact e-mail addresses from the generated HTML, etc. content. This obscures e-mail addresses retrieved from the author/committer and comment sections of the Git log.
It is meant to hinder web crawlers that harvest and abuse addresses. Such crawlers may not respect robots.txt.
Note that users and user tools also see the addresses as redacted. If Gitweb is not the final step in a workflow then subsequent steps may misbehave because of the redacted information they receive.
Disabled by default.

Hammond answered 16/4, 2021 at 22:54 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.