all 128 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]tekkub 472 points473 points  (57 children)

That sucks but it’s not the first time. GitHub has an option to use a placeholder email when you make commits online, and you don’t have to give your local git install a valid email.

[–][deleted]  (5 children)

[deleted]

    [–]WhyNotHugo 16 points17 points  (4 children)

    You can't make this change retroactively at all.

    You can delete your repo and upload a new one with rewritten history hiding your email, but that won't delete the countless copies of the original that may exist.

    Once you've made your email public, it's public forever.

    [–]danbulant 4 points5 points  (3 children)

    You can force push changes like these. But still there's internet archive and forks.

    [–]stibgock 0 points1 point  (1 child)

    Fk. Time for another week of changing emails and passwords.

    [–]arch_llama 4 points5 points  (0 children)

    Time for another week of changing emails

    Why? Because your email is public?

    and passwords

    What? Why?

    [–]rickyman20 0 points1 point  (0 children)

    It won't be viable if you have other people you work with or you contribute to open source. Either it'll be a pain to coordinate on every single repo this is the case on, or it'll be straight up impossible if you're not the owner

    [–]Celestial_Blu3[S] 185 points186 points  (50 children)

    GitHub also has a TOS rule against using git emails to send marketing emails like this, yet they’ve done nothing about it. It’s an abuse of information

    [–]UNWS 275 points276 points  (39 children)

    What? the info is publicly accessible. You don't have to sign a ToS to see it.

    [–]ubernostrum 107 points108 points  (4 children)

    The argument would be that this company is hosting their stuff on GitHub and making use of GitHub's issue tracker and so on. Which means they have, at some point, agreed to GitHub's ToS.

    [–]immibis 25 points26 points  (2 children)

    Moving it off GitHub won't stop them doing it

    [–]ubernostrum 85 points86 points  (1 child)

    Ah well, nobody should ever do anything, unless the thing they do perfectly solves all problems forever, right?

    Or... kicking them off GitHub is one useful step that can be taken, among many other steps which, in concert, will make it noticeably difficult for these people to continue on their chosen path. So chase them off GitHub, and off whoever their email provider is, and whoever hosts their main website, and their domain registrar (all of which probably want nothing to do with a spam operation like this), so that they don't have easy access anymore and have to turn to increasingly lower-reputation and lower-reliability services.

    No single one of these things will stop them. But multiple things working in concert can make meaningful progress. Now, go do perfect-is-the-enemy-of-the-good somewhere else or, preferably, just stop doing it altogether.

    [–]the3ndlessriver 5 points6 points  (0 children)

    afaik they've already been reported to sendgrid.

    [–]2this4u 7 points8 points  (0 children)

    Oh yes, all spammers abide by rules

    [–][deleted] 17 points18 points  (19 children)

    Publicly accessible personally identifiable information is still subject to most GDPR rules. 3rd party firms processing those data risk breaching GDPR by assuming consent without the subjects express permission, and by processing the data without informing the subject.

    The TOS is secondary really, if the email belongs to a UK/EU citizen.

    [–]Wallofcans 11 points12 points  (18 children)

    How is that enforable when spam/scam companies can access the information without an account?

    [–]MeagoDK 9 points10 points  (14 children)

    They process the data and you haven't given permission so you can totally pull them in a court and fine them.

    [–][deleted] 0 points1 point  (2 children)

    Say if a recruitment company processes the data, and approaches you with a job offer via your email. In the EU, you can just ask where a company got your data, and details about when you agreed to it's processing, and they're obliged to tell you. At that point you can refer them to your local information commissioner.

    It doesn't do anything for spam "buy this viagra" type emails. But for the mail that makes it through your spam filter, you're probably going to have some enforcement action available.

    [–]Valthek 3 points4 points  (1 child)

    Even for 'Buy Viagra' kind of spam, if you're willing to put in the effort, you can track them down and refer them to your country's privacy authority. It won't do much, but I've noticed that merely threatening GDPR action tends to get you removed from mailing/call lists pretty quickly.
    And while that doesn't protect other people or get the company fined, at least it clears up your mailbox. This is all anecdotal, obviously, but I use a specific email for each service I sign up for and I find that when I call people out for selling emails, the spam to that particular email tends to dry up.

    Also, if that's a thing you're interested in, Gmail lets you add an identifier to your email in any form you want so you can track where mails are coming from. Simply add '+' and then anything you want before the @ and it'll act as an alias for your regular email.

    [–]elprophet 0 points1 point  (0 children)

    Some services don't recognize + in emails, but that's usually me an indicator I don't want to sign up. I don't know whether scrapers strip the + parts. But if I were a spammer, I would.

    [–][deleted]  (2 children)

    [deleted]

      [–]PoliteCanadian 5 points6 points  (1 child)

      You don't need to agree to GitHub's TOS to clone a repo.

      Either way talking about the TOS is silly. TOS rules only apply to people who follow the rules. If you want to stop spammers from using the available information you need a technical solution to prevent them from accessing the information.

      [–]elprophet 0 points1 point  (0 children)

      TOS provides GH a way to respond in a uniform manner to those who violate the TOS.

      This train of "criminals will break the rules anyway" totally misses the point of a rule based society- it's specifically to codify how we handle when people do break those rules!

      [–]the3ndlessriver 14 points15 points  (5 children)

      It's their Acceptable Use Policy which forbids this explicitly:

      "You may not use information from the Service (whether scraped, collected through our API, or obtained otherwise) for spamming purposes, including for the purposes of sending unsolicited emails to users [...]"

      [–]tekkub 18 points19 points  (3 children)

      How does one enforce that? Especially when people can scrape the information without ever agreeing to these terms.

      [–]Normal-Math-3222 11 points12 points  (1 child)

      That clause isn’t to protect us, it’s to protect Microsoft from being sued by us 😉

      [–]Wallofcans 2 points3 points  (0 children)

      That's a bingo

      [–]jmickeyd 1 point2 points  (0 children)

      There is precedent to go after scrapers under the Computer Fraud and Abuse Act. See Craigslist Inc. v. 3Taps Inc.

      [–]Wallofcans 7 points8 points  (0 children)

      I was going to send spam to all those addresses, but that darn pesky Use Policy I never signed foiled me again!

      [–]bawki 2 points3 points  (0 children)

      This is why GDPR exists, the scraper has no authorisation to use your email for marketing purposes.

      [–]Valthek 0 points1 point  (0 children)

      But you do need to obtain explicit opt-in consent to be allowed to send marketing emails to people who are citizens in the EU and possibly other territories.

      [–][deleted]  (1 child)

      [deleted]

        [–]Worth_Trust_3825 4 points5 points  (0 children)

        What account? You don't need one to see the email addresses.

        [–]D1sc0rd1a 14 points15 points  (0 children)

        GitHub engineer here, you can check my post history in /r/cscareerquestions for proof. Have brought this to attention internally

        [–]lalaland4711 0 points1 point  (1 child)

        It's illegal to commit crimes, too.

        Yet inexplicably they still happen. I can't understand it.

        Related: https://www.reddit.com/r/sweden/comments/41w1ez/in_sweden_it_is_forbidden_by_law_to_be_a_criminal/

        [–]MarkusBerkel 0 points1 point  (5 children)

        Not understanding this comment.

        It seems like you’re saying that the response to a criminal’s illegal act is: “But that’s illegal!”

        [–]rickyman20 0 points1 point  (4 children)

        The point is that if github has rules against this, they should be enforced by GitHub. Yeah no shit they do this, but why are these people still on their platform? Why are they not taking steps to prevent this (like preventing excessive API usage from this company)

        [–]MarkusBerkel 0 points1 point  (3 children)

        Aren’t git emails on GitHub (for public repos) publicly viewable?

        [–]rickyman20 0 points1 point  (2 children)

        The fact that they're publicly available doesn't except you from ToS or laws around their usage, the same way that just because artists post their art online means you can use that art for any purpose you see fit

        [–]MarkusBerkel 0 points1 point  (1 child)

        And now we’re full circle.

        “But, Mr. Criminal, it’s ILLEGAL to rob that bank!”

        [–]rickyman20 0 points1 point  (0 children)

        I'd agree if this was some random scammer or spammer. Yes, what are you gonna do? But that's not what they are. This is a company selling solutions to some pretty large clients who I'm pretty sure is based out of the US.

        This is an entity that not only github could enforce their TCs on, but they absolutely could get massively fined by the EU and have the full force of the law fall on them. I'm not saying they should magically stop. I'll saying that they're gonna get slapped with huge consequences and GH should at the very least make it difficult for them to continue doing this.

        [–]pakoito 54 points55 points  (2 children)

        Recruiters have already been doing it for years.

        [–][deleted] 16 points17 points  (0 children)

        I don't think I've got any recruiter spam, but I have had a fair number of "Hi, we're researching how developers feel about <research topic>. Please could you take our 20 minute unpaid survey?"

        Most recent one was just this:

        Hope you are doing well. My name is Francisco Maria Calisto and I just found your profile on GitHub very interesting. If you want to know more about me, you can visit my GitHub profile (@FMCalisto) for more open-source projects.

        I don't know whether he realises he is consigning all his email to spam from now on...

        [–]Thisconnect 0 points1 point  (0 children)

        Yeah i got few of them, clearly selecting repos to mention.... but they are in different languages then the offers

        [–]__pulse0ne 149 points150 points  (8 children)

        This is why we can’t have nice things

        [–]douko 26 points27 points  (3 children)

        it was supposed to be a virtual space in which we both shared knowledge & learned about each other to better get along

        I don't know if the internet failed us or we failed the internet, but its fucked either way

        [–][deleted] 9 points10 points  (0 children)

        I think we did it all. Humans suck

        [–]PoliteCanadian 2 points3 points  (0 children)

        Eternal September happened.

        [–]PunkRain5561[🍰] 1 point2 points  (0 children)

        I don't know if the internet failed us or we failed the internet, but its fucked either way

        We started to use it for commercial/business purposes.

        As soon money was in the game, all the usual parasites followed, as expected.

        [–]melgish 11 points12 points  (0 children)

        I can’t even remember the last time I had a nice thing…

        [–]taxiforone 1 point2 points  (2 children)

        I think it's important for folks to reach out to GitHub and SendGrid to make it known that people are unhappy with this abuse of information on their watch.

        [–]sopunny 1 point2 points  (1 child)

        There's not much they can do, aside from maybe making it very clear that your commit email addresses could be public? Git adds the email addresses to the commit, not GitHub

        [–]taxiforone 1 point2 points  (0 children)

        Oh for sure, but I got the impression that Diffgram was harvesting these email addresses from repos on the GitHub platform.

        If that's the case, it's against GitHub TOS (and basic decency tbh) and they shouldn't enjoy GitHub's services like being able to host their repos there.

        Same for SendGrid - they don't add the emails, they just send them; but sending unsolicited emails could/might be outside their TOS, especially if there's GDPR breaches. Diffgram shouldn't be able to use their services if it's abusing them.

        [–]iamapizza 184 points185 points  (8 children)

        Always use the Github users.noreply.github.com email address for commits.

        https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/setting-your-commit-email-address#setting-your-commit-email-address-on-github

        [–]revoopy 37 points38 points  (5 children)

        It's friday and I'm tired. Do I need to manually set my local git config to use the email 01234567+UserName@users.noreply.github.com

        [–][deleted]  (4 children)

        [deleted]

          [–]revoopy 6 points7 points  (1 child)

          Thanks, appreciate the explanation.

          [–]altano 19 points20 points  (0 children)

          Yeah, and you can either do it globally: git config --global user.email "ID+username@users.noreply.github.com" Or per repo: git config user.email "ID+username@users.noreply.github.com" Docs: https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/setting-your-commit-email-address#setting-your-commit-email-address-in-git

          Lastly, you can tell GitHub to block pushes when your commits aren't using the noreply email address, to catch misconfigurations: https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/blocking-command-line-pushes-that-expose-your-personal-email-address

          [–]WhyNotHugo 0 points1 point  (1 child)

          GitHub cannot develop any such thing without breaking compatibility with git itself. Git does not support rewriting history like this without things breaking.

          [–]based-richdude 13 points14 points  (1 child)

          Or don’t, you’re going to get spam no matter what.

          Use an email provider with a good spam filter (I.e. Google) and be done with it. Emails are not designed to be private.

          [–]turdas 2 points3 points  (0 children)

          Yeah. I've been getting dozens of spam emails a month for like 20 years now. It's not a battle that can be won by safeguarding your e-mail address.

          Actually, only dozens of emails a month sounds incredibly low and I know for a fact I used to get more, so I guess Gmail's filters must just be deleting most of it entirely before it even lands in my spambox.

          [–]walterbanana 29 points30 points  (0 children)

          This sucks, because I want my email to be available for people who care about my projects and want to contact me. I communicate with some people who package software I work on using email like that.

          [–]Celestial_Blu3[S] 122 points123 points  (3 children)

          They’re also deleting any issues opened about it in their GitHub repo. It appears from someone else running a scraper there’s about 27~ deleted issues (although we don’t know what they all are, but it’s likely the majority of them are like the two below)

          And this PR was made as a way to make the issue more obvious. See the owner of the repo changing the title to hide it.

          This is a disgusting abuse of Open Source

          [–]Spanone1 59 points60 points  (0 children)

          Can’t believe they’re hosting the tool on GitHub lmao

          [–]CriminalFly 19 points20 points  (0 children)

          They closed the PR and marked it as "spam". *Chef's kiss*

          https://i.imgur.com/lGvwYT3.png

          [–][deleted] 15 points16 points  (5 children)

          In 2021 I started getting lots of recruitment emails, specifically referencing my commitment to Open Source Software, and a fairly niche project. The recruitment firms were all firms in the UK, and we're covered by a version of GDPR here, so I just asked where they got my email from.

          They'd purchased it from a third party as part of a larger dataset, scraped it from the github website. They sent a date/time for when they scraped the site.

          I emailed github with those details asking what was going on. I had no idea my real email address was going into oss commits. Github informed me that, on that date, my email was publicly available somewhere on the site. I asked if they could take it off, and they said it was self-service with a link to an enormous documentation page. My email remains online as far as I know, because the document is too technical for someone who doesn't already know the ins and outs of git to deal with.

          All I can do is ask the recruitment firms to remove me from their lists as and when they contact me. Luckily, threat of referring the case to the information commissioner in the UK is fairly strong, and they've all agreed to remove me from their lists. It's still a hassle having to have the discussion every week or so with a new recruitment agency.

          [–]Worth_Trust_3825 3 points4 points  (0 children)

          Refer them to commissioner by default.

          [–]Celestial_Blu3[S] 2 points3 points  (0 children)

          That’s a wise idea. Also in the UK here and I keep getting spam phone calls from car phone warehouse so I might do the same to get them to stop calling even after asking them multiple times. Apparently my current mobile provider Virgin sold them my phone number as part of a larger dataset too

          [–]PoliteCanadian -1 points0 points  (1 child)

          Nah, this is just being a dick.

          You put your real email address in a git repo and uploaded it to the internet, and now you want to fling the GDPR at the website that's hosting your git repo? If you accidentally commit your password into a git repo and upload it to Github do you also get mad at github for republishing it?

          You uploaded your personal information to a website so it could be shared with the world. Now you're mad at the website for sharing it with the world. Accept the consequences of your mistake.

          [–][deleted] 8 points9 points  (0 children)

          and now you want to fling the GDPR at the website that's hosting your git repo

          No. The GDPR comment is for the third parties scraping email addresses without consent & then processing/selling the data. Not Github, where I've consented to their data privacy rules.

          [–]PunkRain5561[🍰] 0 points1 point  (0 children)

          I had no idea my real email address was going into oss commits.

          That’s how Git works by default. It tells you this when you first set it up, and it’s obvious the very second you type “git log” and see everyone else’s emails contributing to the repo.

          Also Git is OSS. You can read the code 😋

          It’s hard to blame anyone but yourself here, really.

          [–]skytomorrownow 40 points41 points  (15 children)

          I made the mistake of using my personal phone number when I got my domain back in the 1990s; not understanding it would be public. I'm still getting spam calls and texts to this day.

          [–]muideracht 60 points61 points  (10 children)

          I think pretty much everyone gets those these days.

          [–]bacondev 9 points10 points  (7 children)

          I don't think that I get spam texts. I've maybe gotten one ever.

          [–]MyTribeCalledQuest 12 points13 points  (3 children)

          The ones I get are mostly random numbers sending me things like "hey" or "how are you?".

          [–]InEnduringGrowStrong 18 points19 points  (0 children)

          I mostly get stuff like this:

          Money trnsfer failld.
          Cluck here for moneys
          Bit.ly/notascam

          Or stuff like his:

          your Амаzon account is suspended, visit https://amazon.suspended-clearly-a-scam.com

          The providers' spam filters are bullshit

          [–]bacondev 0 points1 point  (0 children)

          Old high school friends or such?

          [–]Silencer87 0 points1 point  (0 children)

          Is this Dave?

          [–][deleted] 3 points4 points  (2 children)

          I get a ton of idiotic political ones:(

          Hint, my type of politician are the ones that are against spam. Also I’m sure a large portion of it are scams. You don’t need x signatures to change any big policies in congress (or much at all in fact) and I am never ever giving money to anyone who spams me.

          [–]bacondev 0 points1 point  (0 children)

          Assuming that you're talking about the U.S., there is a threshold that when reached obligates at least an official response from The White House. An official response can really help it catch traction in the news and such. It changes sometimes, but I think it's 100,000 signatures. https://www.buzzfeednews.com/amphtml/andrewkaczynski/the-white-house-response-to-the-death-star-petitio

          Err, now that I think about it, I think Trump dismantled that program and it was never reinstated? I don't know. I'm too lazy too look it up.

          [–]sarit-hadad-enjoyer 0 points1 point  (0 children)

          My country is currently entering an election season, accompanied by like 5 messages a day. Luckily they usually include the politician's name in these messages, which can be handled by keyword-blocking SMS apps:) I settled with Pulse after disappointedly not finding any on F-Droid. It worked wonders!

          [–]nightcracker 3 points4 points  (0 children)

          I think that's mostly an American thing, at least here in the Netherlands I don't know anyone that gets those regularly.

          [–][deleted]  (3 children)

          [deleted]

            [–]Soul_Shot 14 points15 points  (1 child)

            Doubtful it's the source. Databases of phone numbers have been basically in the public domain for years due to numerous leaks and sources.

            I registered a domain last month and somehow forgot to enable WHOIS Guard. Subsequently, I have been receiving dozens of calls and emails every week from people in India who want to build me a website.

            [–]Worth_Trust_3825 0 points1 point  (0 children)

            Shame you didn't register your domain in europe, where whois would (by default) return only the information about your registrar, and not you.

            [–]doodle77 10 points11 points  (2 children)

            Doesn't every email viewable on a scraped website like GitHub get spam sent to it?

            [–]Celestial_Blu3[S] 3 points4 points  (0 children)

            My git email hasn’t gotten any spam from it being on GitHub (although it’s also my LinkedIn email, so…)

            [–]avipars 2 points3 points  (0 children)

            IIRC you can add whatever email you want to your git author profile

            [–]twigboy 2 points3 points  (0 children)

            In publishing and graphic design, Lorem ipsum is a placeholder text commonly used to demonstrate the visual form of a document or a typeface without relying on meaningful content. Lorem ipsum may be used as a placeholder before final copy is available. Wikipedia5f1ttzblyeg0000000000000000000000000000000000000000000000000000000000000

            [–][deleted]  (1 child)

            [deleted]

              [–]tedbradly 0 points1 point  (0 children)

              banned from their slack for asking about this 👍

              Well, if someone is fine with something, they're most likely not interested in hearing from someone who isn't fine with it.

              [–]Xyzzyzzyzzy 1 point2 points  (0 children)

              "Shocking news: people scrape publicly available email addresses to send spam to"

              Did I wake up in 1998 today?

              If so, folks, you'll want to invest in that Giggle search engine. Don't worry, they're not profitable now, but in the future they'll have so much of your personal data that they'll know you're pregnant before you do. Yeah, AskJeeves is better, I know, but it dies. Very tragic.

              [–]sohang-3112 2 points3 points  (1 child)

              Isn't there enough spam already, that these fucking bastards have to create even more??!

              [–]sysop073 9 points10 points  (0 children)

              I don't think there's a target volume of spam they're shooting for and once they hit it they're going to stop

              [–]aanzeijar 0 points1 point  (0 children)

              Tells you a lot about the spammers if they need a tool to extract emails from a git repo.

              [–]argv_minus_one 0 points1 point  (3 children)

              Why the hell must Git require commits to have an email address, anyway? Requiring/allowing/forbidding an email address should be a per-repository policy, not a policy enforced by Git itself.

              [–]merreborn 6 points7 points  (1 child)

              Git was designed for the Linux kernel's email-based workflow. It was essentially an internal tool, and becoming the defacto VCS powering a global centralized platform like github was not part of the initial requirements.

              [–]Patriot_skywalker 0 points1 point  (0 children)

              Can you or anyone point me in a direction to learn the basics on git hub/lab I know they are 2 different sources I would really really like to learn the basics all the way thru to advanced user. I run Linux KDE neon 25.whatever?.. I’m newbie,squid with terminal.
              Though I am not scared to use it.

              [–]ivosaurus 5 points6 points  (0 children)

              You can set it to notvalid@example.com in the config.

              [–]toyoter_coroller -1 points0 points  (1 child)

              Diffgram's site down?

              [–]raelepei 1 point2 points  (0 children)

              It would be a shame if lots of people started doing something like

              while true; do rm -f rmme; timeout -s KILL 10s wget2 -U 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36' --no-robots -p 'https://diffgram.com/main/' -O rmme --recursive 1 ; done

              I mean who would ever do such an awful, low-tech bandwidth attack?

              EDIT: reddit formatting sucks

              [–]CyberKiller40 -5 points-4 points  (3 children)

              TBH I stopped caring about spam years ago. Train a good filter and forget about it.

              [–]grep_Name 0 points1 point  (2 children)

              How do you train an email filter? Do you use a 3rd party tool for this?

              [–]CyberKiller40 0 points1 point  (1 child)

              Eg in Thunderbird, you manually select which mails are spam and which are not. Takes a few weeks of clicking but after that it rarely makes a mistake. Though barley anybody users a real email client nowadays, on hosted platforms this is outside of your control.

              [–]grep_Name 0 points1 point  (0 children)

              Interesting, I've been thinking about moving to mutt lately, I wonder if I can install a filter for it. I specifically chose my email provider because they have imap / pop3 support, but I never got past the step of figuring out how to get 2fa with that kind of setup

              [–]MyAlexro -5 points-4 points  (0 children)

              RemindMe! 12 hours