account associated with "private" e-mail can be revealed by somebody else #121895
Unanswered
esumii
asked this question in
Repositories
Replies: 1 comment
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Select Topic Area
Bug
Body
Suppose I have an account, say @ foo , privately associated with an e-mail address, say [email protected], and "Keep my email addresses private" is checked in https://github.com/settings/emails. When somebody (not me) makes a commit to some repository (not mine) and the commit is associated (without being known to me) with [email protected], GitHub openly associates the commit with @ foo, revealing its association to [email protected].
I am not sure whether this is a "bug", but I do not think it is a desirable behavior. Please note this is not about "Block command line pushes that expose my email" (also in https://github.com/settings/emails) - the problem is about revealing the association of an e-mail address to GitHub, rather than the e-mail address itself.
Please forgive if I am missing something.
P.S. I've also read https://docs.github.com/en/pull-requests/committing-changes-to-your-project/troubleshooting-commits/why-are-my-commits-linked-to-the-wrong-user but it does not solve the above issue, either.
P.P.S. The repository and commit (made/owned by someone else) can be private, in which case the owner of the "anonymous" account cannot even notice the information leak. Plz also note it can happen by accident (which did happen to my colleague and me), not malice.
Beta Was this translation helpful? Give feedback.
All reactions