Why I deleted all my GitHub repos and why you might want to do that too.
GitHub is a popular website to share Git repositories or repos as they’re usually called.
When you create a Git repository on GitHub, you can share it with the public and be able to work together on the same project with various people.
All this sounds great and it is but there are some good alternatives out there. Even open source ones that you can self-host if you prefer it like that.
The Problem with GitHub
GitHub is not open source and was aqquired by Microsoft.
This wouldn’t matter for me much but there is something else about GitHub and public repos in general.
I had to setup Github Desktop because of enhanced security. Had to use keys and extra security for verified commits. Perfect did that.
Also in the settings I saw a fake email my.name.@ github.com or something similar actually was: dragosion@users.noreply.github.com.
There I had the option to choose my real github email so I did that… changed from the strange email to my real one.
Later I started getting and still getting more and more nigerian letter type scam emails or various types of scam emails in general and I wondered why now.
What changed?
Then I remember, GitHub
So it goes like this…
If you put your real email in the commits, everyone can see them in public repos. The whole point of Github as a non-pro account is to have public repos.
Now everyone can see you email in the commit history.
You don’t believe me?
This this go to your repository on GitHub, example https://github.com/dragosion/GitHubEmailLeak_CommitHistory_Test
Click the commit history button https://github.com/dragosion/GitHubEmailLeak_CommitHistory_Test/commits/main
Select any of your commits https://github.com/dragosion/GitHubEmailLeak_CommitHistory_Test/commit/40de73094fd3d11868ce3803c3460243f452cfb4
Now in this url at the end add .patch: https://github.com/dragosion/GitHubEmailLeak_CommitHistory_Test/commit/40de73094fd3d11868ce3803c3460243f452cfb4.patch
You can see now the commit details and email related to this commit. Useful feature if you are looking to patch a bug but also useful for a spam-bot to harvest email addresses and this is plain text – no anti spam features as far as I see but they might have rate limiting.
From 40de73094fd3d11868ce3803c3460243f452cfb4 Mon Sep 17 00:00:00 2001
From: Dragos Ion <dragosion@users.noreply.github.com>
Date: Thu, 29 Sep 2021 22:49:42 +0300
Subject: [PATCH] Update README.md
---
README.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/README.md b/README.md
index 8f1c617..8559c60 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,3 @@
# GitHubEmailLeak_CommitHistory_Test
GitHubEmailLeak_CommitHistory_Test what is says above.
+test edit.
GitHub now has the option to block commits from clients that would leak your real email address but the damage is already done and what they should offer is a way to remove the real email from past commits not future ones like it does now.
Even if you do a clean local git repo and do a git push –force you might have some unexpected results and mess-up the whole repo.
The only way to be sure is to remove the email from your Git settings locally, delete the whole remote repo, then push the local new repo to remote github.
Same on Github desktop.
My Github repos didn’t matter much so I deleted them and didn’t re-create them but can do it in the future on Bitbucket or even GitHub.
A good alternative to Github is:
- SourceForge https://sourceforge.net/
Freemium / Professional options:
- AWS CodeCommit https://aws.amazon.com/codecommit/
- Atlassian BitBucket https://bitbucket.org/
- Google Cloud Repositories https://cloud.google.com/source-repositories/
- GitLab https://about.gitlab.com/
- Gitea https://gitea.io/en-us/
You can continue to use GitHub as I probably will but woult look at sourceforge too and be more careful with the commit email leaking to spam bots.
This happened because of me, it was my fault. GitHub could have explained it to me better – Your REAL Email WILL be LEAKED to the PUBLIC and POSSIBLY WILL be Harvested BY SPAM BOTS in red, and a are you sure you want that button should do it for me but this is still my fault for using my real email on a Git repo.
That’s all for now.
Leave a Reply