I do see a point in it working like it does, though. I'm one of the lead developers on a free software project with over 20 years of history. Even though the project has used multiple version control systems (and hosting providers) over time, we have imported our entire project's history going back to the very first commit into git and GitHub.<p>Not every contributor has kept their email address for over 20 years. Some don't have access to the old addresses they once used for commits. Still they want the commits to be associated with their current GitHub account; even if it's just for statistics and "bragging rights".<p>If GitHub required email address verification, how would this be done?<p>EDIT: To be clear: With "working like it does" I'm referring to the possibility to add unverified email addresses to your account and have commits attributed to you.
In spite of GitHub's claims that nothing wrong, something <i>is</i> wrong and fixable.<p>GitHub should be showing the identity pulled from the e-mail address, and not replacing it with the name of an associated GitHub account. Just like it does when there is no associated GH account.<p>A reasonable compromise would be to show that name, but turn it into a link to the account if there is one. Then only someone curious clicking on "Linus Torvalds" would see: hey, how come this leads to some VanTudor account?
GitHub’s response is pretty surprising. How can anyone think this is expected? Having to follow Git’s commit message emails makes sense and indeed anybody can use any email they want to make a commit. But then for GitHub to make the connection between (unverified) commit emails and (unverified) GitHub.com accounts is the issue for me. Since they can’t verify the commit email belongs to a GitHub account, why show that as though it were true?
I thought this might be something different. Have seen this happen multiple times over the years - even once just last week.<p>Colleague files an issue with a PR. Project owners close it, say 'no, not a bug', then... commits the same thing themselves as "fixed!". Saw this years before in cvs/svn, and... at least in the GH world there's some evidence of the original PR author having done the work in the first place (vs being invisibly cut out).
Or you can just do this: <a href="https://github.com/bhargavchippada/forceatlas2/commit/7438e2e48347a70d6ebd0bafcca22aea86629a79" rel="nofollow">https://github.com/bhargavchippada/forceatlas2/commit/7438e2...</a>
I have used emails in the past I can no longer verify, so I see a use case for linking unverified emails to profiles if there's only one profile claiming the email address<p>However, if another profile verified that email address, it definitely shouldn't link to another profile that hasn't verified
It seems that one proper solution could be:<p>1 - Don't associate the commit to an account if the email is unverified, obviously<p>2 - If someone tries to "forge" ownership by pushing a commit with an e-mail that doesn't belong to the GitHub account being used to push, a "unverified" warning should be added to the commit and manually claimed by the account owning said e-mail for its status to change.
Veering off topic but I absolutely hate that git requires you to have an "email address" (which cannot be empty and iirc must satisfy some regex criteria for a valid-looking address). A particular choice of user identifier or communication medium should not be hardcoded into the totally unrelated concern of source-control, IMO. Anonymous and non-email accounts should be first-class things. Instead of email maybe you'd want to have your public-key or something.
I scrolled through all the comments and didn’t see this answer.<p>What better way to recruit famous people to your platform than to allow people to trivially claim their commits until and unless they join and claim them?<p>It is most likely driven by customer acquisition — hence the response “working as expected!”
I remember when one of our contractors refused to do a rebase for like, a week, and just ignored any messages we sent him. I changed my e-mail on git to his, rebase, push, PR merged :)<p>Nobody ever found out hahaha
I remember this earlier subthread where someone was criticizing GitHub for allowing this (even using Torvald as someone to impersonate!), and others offered some defenses (which were IMHO dubious):<p><a href="https://news.ycombinator.com/item?id=21025378" rel="nofollow">https://news.ycombinator.com/item?id=21025378</a><p>Also, semi-related, obligatory mention of my joke utility for stealing credit for someone else's work:<p><a href="https://github.com/silasx/git-upstage" rel="nofollow">https://github.com/silasx/git-upstage</a><p>Finally, I thought this phrasing was funny, like commits have a non-substantively transferable ownership, like an NFT (though FYI it's quoting an older discussion of the same problem):<p>>Someone wrote about the whole situation on Medium in November 2021: "The 1st commit of git/git no longer belongs to Linus Torvalds".
Could someone also write bad code and commit it using someone else's email address in the commit message, thus making the commit link to the other person's Github profile? (Sort of the reverse problem -- "giving blame" instead of "taking credit")
Arpad, your site looks like this - <a href="https://i.imgur.com/jj9Uxbl.png" rel="nofollow">https://i.imgur.com/jj9Uxbl.png</a><p>Not just the linked page, the homepage too. All but illegible. That's in a recent Firefox on Windows. Just FYI.
I noticed that arraypad is really trying to push his repography project. Whilst this is not a bad thing, it seems like he is using the blog posts as an excuse to push more his project.<p>I don't mind that much, but I think I've seen these posts hitting the front page quite a lot already - it's a good strategy but it could be maybe against the guidelines:<p>> Please don't use HN primarily for promotion. It's ok to post your own stuff occasionally, but the primary use of the site should be for curiosity.
This reminds me very much of a "hack" I performed in a workplace that used Outlook/Exchange as its primary email system. I simply sent an email (to a few, trusted people) with the "from" field set to the CEO's name/address.<p>In their inbox it looked completely legit. Outlook even put the CEO's avatar next to it and everything. They were genuinely shocked. Even after I explain that the "from" field is just like me writing "love from Mum" at the bottom of a letter I think they still couldn't believe it.<p>There is a problem with people assuming that all data they find is authoritative. People don't question whether they can trust data often enough. Another problem is when you make things look nice enough, they look trustworthy. This is a well known confidence trick, of course.<p>My PhD supervisor objected to me typesetting my work in LaTeX before it had been checked because he said once it's typeset it <i>looks</i> correct, but might still be complete rubbish.<p>Unfortunately this all boils down to web-of-trust, as usual. We've had the solution for decades now, but we've collectively agreed that it's more trouble than it's worth. So these kinds of problems will keep popping up again and again.
Why not add a small orange (!) icon next to the name for unverified emails, or a similar indicator? As a way of saying "this user claimed authorship, but we couldn't verify it".<p>When you commit from the Github page itself, a similar green "verified" check is shown, but if you do it from command line and then push nothing is shown. So the infrastructure for special verifications messages is there, and perhaps could be used.
I'm not entirely sold on the explanation "This is just how git commit (messages) work". GitHub could easily limit linking the GitHub profile to profiles whose e-mail address has been verified (by usual means, no GPG required).<p>They could show statistics and attribution limited to the data available in the commit messages (e.g. accumulated statistics by e-mail address) for contributors without a GitHub profile.<p>Am I missing something here?
(Edit: just read the other comments addressing the use cases)
I knew about the ability to push commits as someone else, but GitHub allowing taking ownership of other people's commits in their own repos, using an <i>unverified</i> e-mail address seems like a whole another level of insecurity here.<p>Even though git -> email link is weak for reasons beyond GitHub's control, I expected email -> github account link to be reliable, since that is entirely under GitHub's control.<p>I think GitHub is needlessly making a bad situation even worse here.
Dated back to at least 2015 <a href="https://news.ycombinator.com/item?id=10005577" rel="nofollow">https://news.ycombinator.com/item?id=10005577</a><p>It’s old news.
This is just a fact of how attribution works in Git. It's not GitHub's responsibility to figure out exactly who should be given credit for which commit, they're just a viewer on top of Git commits.<p>Imagine you did some work at some workplace years ago, and you want credit for it. You don't have access to that email anymore, but you'd still like to have the credit and have it link to your account. That's the usecase.
I'm extremely surprised as well. This seems like a obvious vector for an impersonation attack. A malicious user could do this, then perhaps they would have more success submitting a malicious change to "correct a flaw in their previous commit"<p>At the very least, repo owners should have some better control over how attributions display when the user is not a project member or the email used is not verified to an existing user.
Repography looks very cool, but why does it need permission to "act on my behalf"?<p>Is it possible to use without connecting my user at all?
I think if the project included a mailmap file [1], supported by Git, and if Github honored it, this may not be a problem.<p>[1]: <a href="http://git-scm.com/docs/gitmailmap" rel="nofollow">http://git-scm.com/docs/gitmailmap</a>
This is trackable, but I had my PR closed and my contributions redressed as another PR a week later by the members of a few different prominent opensource projects, without any communication on their part. And I only realized by chance.
how many email addresses can a person associate with their account? is there the potential for me to develop a bot that scrapes every "unclaimed" email address and claim them? seems like a very poor design choice.
Is it at all relevant that github is not a source of authority for anything, unless the project itself chooses it (and maintainers/owners designate it) as the platform of choice for source control?
What happens if multiple github users add the same unverified email address for a particular commit in a repo to their accounts, how does it know which github username to pick to display next to the commit?
so this is obviously an ad for this repography thing, which looks pretty cool.<p>so.. does it do anything interesting with stuff like git blame -CCC which shows the genealogy of copypasta across time within a repo?
I worked on the security team at GitHub, this was a long standing part of how git works. GitHub allows users to verify commits via GPG signatures to prove that they committed something but it doesn't work for proving a negative, that you did not commit something.<p>We got so many of these submissions which are clearly called out in the rules/scope, usually the people who don't read the rules don't find anything useful. ¯\_(ツ)_/¯