Author never commits with his real email except for the initial commit (which points to https://github.com/andychu) and the project is owned by organization.
I wonder if it is possible to run anonymous projects by creating organization and committing as "Anonymous <anonymous@example.com>". Of course you should just create another account using Tor in this case, but just from a theoretical point of view, can an outsider (not working at github) find out who the author is?
> I wonder if it is possible to run anonymous projects by creating organization and committing as "Anonymous <anonymous@example.com>". Of course you should just create another account using Tor in this case, but just from a theoretical point of view, can an outsider (not working at github) find out who the author is?
Should be trivially possible; GitHub identifies people via their SSH key, not via a "name" or email address.
> You must provide your name, a valid email address, and any other information requested in order to complete the signup process.
Throwaway email addresses (e.g. mailinator.com ) are "valid", but not providing "your name" is a violation of the TOS, and hence:
> Violation of any of the terms below will result in the termination of your Account.
Of course, that's not saying much when their terms also state:
> GitHub, in its sole discretion, has the right to suspend or terminate your account and refuse any and all current or future use of the Service, or any other GitHub service, for any reason at any time. Such termination of the Service will result in the deactivation or deletion of your Account or your access to your Account, and the forfeiture and relinquishment of all Content in your Account. GitHub reserves the right to refuse service to anyone for any reason at any time.
Hence anybody who actually cares about privacy, anonymity, publishing code without it being taken down, etc. should probably avoid GitHub (other than for mirroring). It's a single point of failure which can be closed down or sent a subpoena.
The whole point of git is to be decentralised, so just use `git send-email` and keep it that way. No need to give any control to a centralised entity, especially a proprietary one!
It never says "full legal name", just "your name". Suppose you decide to use an alias? (Especially if you use one that sounds like a legitimate name?) Does that violate the TOS?
I am not a lawyer so I am not going to even try to interpret GitHub's TOS. But I do think GitHub ought to clarify this point–either explicitly say that aliases/pseudonyms are permitted, or alternatively if they insist on your legal name, say that. Although demanding one's legal name, if taken literally, can produce some odd results – if everyone calls you "Peggy Smith" but your legal name is "Margaret Helen Smith", should it be a TOS violation to create an account as "Peggy Smith"? Or, to give another example, a woman who marries may decide to adopt her husband's surname as her legal surname (or in some countries that might even happen automatically by law without her having any say in it), but still use her maiden name for professional purposes–that's what my mother did at least.
I imagine many GitHub users don't have a "full legal name"; e.g. I'm in the UK and AFAIK there's no concept of a distinguished "legal name"; a name is anything you're known by, i.e. I could give "chriswarbo" as my name in an official setting, since that's one of the names I'm known by (although it would probably cause me headaches, since that name doesn't appear in any of my other official forms/documents).
Besides which, as I quoted above, GitHub can terminate any account at any time for any reason, so it's really just nitpicking.
> GitHub identifies people via their SSH key, not via a "name" or email address.
Contrary to this, GitHub leans heavily on email addresses to identify contributors—in fact it may be correct to say it relies entirely on email addresses. This comes from both the documentation[1] and is borne out by experiments I've done to verify this[2].
The only thing I'm aware of that's of note is if you superficially try to change the author of the patch to give a different attribution before pushing to GitHub, then GitHub will say something like "Other-Name committed with Real-You". In this case, it all comes from Git—Git has a notion of "committer" as distinct from "author". So what's happening in the case of e.g. `--author=Other-Name <fake@example>`, Git reads your config, which specifies e.g. Real-You, and so based on that and the `author` flag, will mark the commit with author Other-Name and committer Real-You. From this, GitHub displays the UI string of the form mentioned earlier.
For example, from a recent commit[3] to the vscode-docs repo, if you do:
tree 86c221e0f9e7e986068c50971ac322c738f5812f
parent ccb9478342bba878111baedb412fb7f6911b40ad
author João Moreno <mail@joaomoreno.com> 1486451758 +0100
committer Greg Van Liew <gregvanl@microsoft.com> 1486481582 -0800
Improve `code` docs for macOS
Once again, this is all Git, and nothing specific to GitHub or any special inference that it derives from SSH keys (to my knowledge). If you have some other information, can you share it? Realistically, it's not feasible for GitHub to rely on SSH because it's not even necessary to set up SSH for your account. (Pushes from the command line can be done with a username/password pair—if you're hitting the https endpoint—and GitHub really likes people who do everything through their web UI. Forcing the latter group to mess with SSH is basically a non-starter, given GitHub's goals—which I'll clarify at every opportunity, is to be a social network first, and a software development platform second.)
Yes, I didn't mean to imply they're scraping information from keys or anything (e.g. looking them up in a web of trust, etc.); only that SSH keys are an "external" form of identifier.
The git cli uses 'email-like identifiers', but they don't have to be working email addresses unless you're using git's email integration (and even then, you could use sendmail et al to redirect these fake emails through a real one).
Of course, it's trivial to use multiple git configs (such that "Real-You" isn't really you), although it requires some vigilance. I worked with someone who maintained two separate GitHub accounts: one for "public" stuff, one for security/hacking related stuff (nothing nefarious; they went after bug bounties). They got really annoyed one day when they spotted that the drunk coding they'd done the night before had been committed using their public git config, so anyone who'd crawled/mirrored those repos (and of course GitHub themselves) would be able to tie the identities together!
I wonder if it is possible to run anonymous projects by creating organization and committing as "Anonymous <anonymous@example.com>". Of course you should just create another account using Tor in this case, but just from a theoretical point of view, can an outsider (not working at github) find out who the author is?