Strip Identity from Commits with Gitmask

180 VIEWS

· ·

Contributing to open source is great! Apart from giving you a resume add-on, people benefit from your contribution. In fact, many of us now depend on several open source technologies.

Your phone or PC is probably running some sort of open source software right now, or running software that depends on open source technology. Thanks to open source, we have amazing products including Linux, VLC, Firefox, WordPress, NGINX, Ogg, and Android. This list could go on forever. New open source tools are constantly springing up by the day.

GitHub and Bitbucket are examples of sites that support the open source movement by providing cloud storage space to host many open source projects. In 2017, GitHub alone reached 24 million developers, working across 67 million repositories. Users of GitHub spread across more than 200 countries, and come from all corners of our planet. There have also been a billion public commits on the service since September 2016. (Check out more on the stats here.)

But There’s a Problem

When you begin learning Git, you’ll soon learn to set your username and email for your projects.

Unfortunately for many, these credentials rarely change and get attached to external commits. There are a number of problems with this—especially sharing your email. With just a few clicks, anyone can unmask your email address. There are a number of reasons why you should protect your credentials, especially your email address. First, your email address is a gateway to other services you use. For an adversary, the email may serve as a starting point of an attack. Spammers may target you once they get hold of your email address. And even though major email providers now have smarter spam detection, some may still find their way into your inbox.

Gotcha! Found Ya Email!

In any GitHub repository, open the commit section.

Select the target commit message of the user.

Add .patch to the URL of the page and load. The URL should look something like this: https://github.com/leachim6/upc/commit/89420b2d69c164b82f78aa91f756656283a0a37a.patch

Shown above is a user’s email. In this case, the email lacks an extension. However, this technique will reveal a user’s email address. For Bitbucket users, just examining a raw commit will reveal the email. That is a problem! There should be a way to completely strip away personal info, or hide it, at least. Contributing to public code shouldn’t put you at risk—not in any way.

Gitmask does the work of stripping your identity from your code. The tool is developed by Jason Kulatunga and is quite simple to use. All you need to do is create a Git bundle and upload it to Gitmask with curl. Gitmask strips and replaces all identification information in your commits, including the username, email, and timestamps. A pull request is made to the upstream repository. The author now becomes “anonymous” and the originating IP is that of Gitmask.

After a successful test, you’ll probably get an email notification. Inspecting the commit will not reveal any user information—All the information is stripped away and is replaced with information of an anonymous user, just like in the image below.

Final Thoughts

If you deeply care about security, you should consider using Gitmask. The tool is open source, so you can add more features to what is currently available. In the words of the developer: “Sometimes it’s better to let the code speak for itself.”

Do you think you can beat this Sweet post?

If so, you may have what it takes to become a Sweetcode contributor... Learn More.

Bruno is a junior at Ashesi University College studying Computer Science. He is interested in leveraging the power of technology to increase productivity. As a big fan of open source technology, he is currently exploring the possibility of using the Bitcoin Blockchain to fight corruption in government.


Discussion

Click on a tab to select how you'd like to leave your comment

Leave a Comment

Your email address will not be published. Required fields are marked *

Menu