Strip Identity from Commits with Gitmask



Contributing to open source is great! Apart from giving you a resume add-on, people benefit from your contribution. In fact, many of us now depend on several open source technologies.

Your phone or PC is probably running some sort of open source software right now, or running software that depends on open source technology. Thanks to open source, we have amazing products including Linux, VLC, Firefox, WordPress, NGINX, Ogg, and Android. This list could go on forever. New open source tools are constantly springing up by the day.

GitHub and Bitbucket are examples of sites that support the open source movement by providing cloud storage space to host many open source projects. In 2017, GitHub alone reached 24 million developers, working across 67 million repositories. Users of GitHub spread across more than 200 countries, and come from all corners of our planet. There have also been a billion public commits on the service since September 2016. (Check out more on the stats here.)

But There’s a Problem

When you begin learning Git, you’ll soon learn to set your username and email for your projects.

 # set your email
 git config --global <[email protected]>

# set your username
git config --global

Unfortunately for many, these credentials rarely change and get attached to external commits. There are a number of problems with this—especially sharing your email. With just a few clicks, anyone can unmask your email address. There are a number of reasons why you should protect your credentials, especially your email address. First, your email address is a gateway to other services you use. For an adversary, the email may serve as a starting point of an attack. Spammers may target you once they get hold of your email address. And even though major email providers now have smarter spam detection, some may still find their way into your inbox.

Gotcha! Found Ya Email!

In any GitHub repository, open the commit section.

Select the target commit message of the user.

Add .patch to the URL of the page and load. The URL should look something like this:

Shown above is a user’s email. In this case, the email lacks an extension. However, this technique will reveal a user’s email address. For Bitbucket users, just examining a raw commit will reveal the email. That is a problem! There should be a way to completely strip away personal info, or hide it, at least. Contributing to public code shouldn’t put you at risk—not in any way.

Gitmask does the work of stripping your identity from your code. The tool is developed by Jason Kulatunga and is quite simple to use. All you need to do is create a Git bundle and upload it to Gitmask with curl. Gitmask strips and replaces all identification information in your commits, including the username, email, and timestamps. A pull request is made to the upstream repository. The author now becomes “anonymous” and the originating IP is that of Gitmask.

 # create bundle
# replace  with name of bundle
git bundle create .bundle master

# upload bundle
# replace  with change location, example: theBashShell/GitMaskTest
# replace  with branch name
curl -L -X PUT --upload-file .bundle

After a successful test, you’ll probably get an email notification. Inspecting the commit will not reveal any user information—All the information is stripped away and is replaced with information of an anonymous user, just like in the image below.

Final Thoughts

If you deeply care about security, you should consider using Gitmask. The tool is open source, so you can add more features to what is currently available. In the words of the developer: “Sometimes it’s better to let the code speak for itself.”

Bruno is a junior at Ashesi University College studying Computer Science. He is interested in leveraging the power of technology to increase productivity. As a big fan of open source technology, he is currently exploring the possibility of using the Bitcoin Blockchain to fight corruption in government. Bruno is a regular contributor at Fixate IO.


Click on a tab to select how you'd like to leave your comment

Leave a Comment

Your email address will not be published. Required fields are marked *

Skip to toolbar