this post was submitted on 31 Aug 2024
40 points (84.5% liked)

Git

2899 readers
1 users here now

Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency.

Resources

Rules

  1. Follow programming.dev rules
  2. Be excellent to each other, no hostility towards users for any reason
  3. No spam of tools/companies/advertisements. It’s OK to post your own stuff part of the time, but the primary use of the community should not be self-promotion.

Git Logo by Jason Long is licensed under the Creative Commons Attribution 3.0 Unported License.

founded 1 year ago
MODERATORS
40
submitted 2 months ago* (last edited 2 months ago) by Kalcifer to c/[email protected]
 

Git records the local timezone when a commit is made [1]. Knowledge of the timezone in which a commit was made could be used as a bit of identifying information to de-anonymize the committer.

Setting one's timezone to UTC can help mitigate this issue [2][3] (though, ofc, one must still be wary of time-of-day commit patterns being used to deduce a timezone).

References

  1. Git documentation. git-commit. "Date Formats: Git internal format". Accessed: 2024-08-31T07:52Z. https://git-scm.com/docs/git-commit#Documentation/git-commit.txt-Gitinternalformat.

    It is <unix-timestamp> <time-zone-offset>, where <unix-timestamp> is the number of seconds since the UNIX epoch. <time-zone-offset> is a positive or negative offset from UTC. For example CET (which is 1 hour ahead of UTC) is +0100.

  2. jthill. "How can I ignore committing timezone information in my commit?". Stack Overflow. Published: 2014-05-26T16:57:37Z. (Accessed: 2024-08-31T08:27Z). https://stackoverflow.com/questions/23874208/how-can-i-ignore-committing-timezone-information-in-my-commit#comment36750060_23874208.

    to set the timezone for a specific command, say e.g. TZ=UTC git commit

  3. Oliver. "How can I ignore committing timezone information in my commit?". Stack Overflow. Published: 2022-05-22T08:56:38Z (Accessed: 2024-08-31T08:30Z). https://stackoverflow.com/a/72336094/7934600

    each commit Git stores a author date and a commit date. So you have to omit the timezone for both dates.

    I solved this for my self with the help of the following Git alias:

    [alias]
    co = "!f() { \
        export GIT_AUTHOR_DATE=\"$(date -u +%Y-%m-%dT%H:%M:%S%z)\"; \
        export GIT_COMMITTER_DATE=\"$(date -u +%Y-%m-%dT%H:%M:%S%z)\"; \
        git commit $@; \
        git log -n 1 --pretty=\"Autor: %an <%ae> (%ai)\"; \
        git log -n 1 --pretty=\"Committer: %cn <%ce> (%ci)\"; \
    }; f"
    


Cross-posts:

top 10 comments
sorted by: hot top controversial new old
[–] [email protected] 14 points 2 months ago (2 children)

So a documented core aspect of the tool is a leak. Impressive research

[–] [email protected] 5 points 2 months ago (2 children)

It is slightly surprising no? I can't see any real reason for it to record this information.

That said, your rough timezone is probably going to leak just from the fact that people generally don't make commits in the middle of the night. If you want HN paranoia levels of anonymity you need to schedule your commits to be automatically pushed at exactly midnight UTC every day.

[–] [email protected] 4 points 2 months ago (1 children)

The only time I came across this subject was when there were malicious commits in a code base. When else would this matter? The commit contains your name and email address. Who cares about time zone? Just as anything in a commit, these metadata can be freely manipulated and serve purely as information for other developers. Who are you scared of seeing your time zone in a commit on a seemingly public code repository? This is such a pointless non-discovery

[–] Kalcifer 3 points 2 months ago

When else would this matter?

  • When a committer doesn't want their geographic location to be known.
  • When a committer doesn't want their contribution activity to be known.

commit contains your name and email address.

That is a bit of identifying, yes, but, arguably, not as personally identifying as a timezone. Furthermore, the manual nature of entering a username and email puts the agency on the person to choose how they wish that commit to be identified, but the time is generally chosen automatically. Unless one is paying close attention to the commit log, it's likely that many wouldn't notice the timezone. It's also possible, and completely forgivable, imo, for one to assume that the timezone is only shown client-side, and isn't actually recorded; it is only when one looks at the documentation that they will see that the timezone is indeed recorded.


these metadata can be freely manipulated

This is essentially what I am advocating for if one is trying to improve the privacy of their Git contributions.


and serve purely as information for other developers

Who are you scared of seeing your time zone in a commit on a seemingly public code repository? This is such a pointless non-discovery

Be careful about forming arguments from ignorance.

[–] Kalcifer 1 points 2 months ago

I can’t see any real reason for it to record this information

Considering what Git actually does from a technical standpoint (version control), other features like recording the times of commits, commit messages, commiter name, commiter email, etc. are all QoL additions to what I would view as the actual core protocol — version control. Tracking changes does not require any of this extra metadata.


your rough timezone is probably going to leak just from the fact that people generally don’t make commits in the middle of the night

Yeah, I did mention this.


If you want HN paranoia levels of anonymity you need to schedule your commits to be automatically pushed at exactly midnight UTC every day.

You could also schedule all commits to occur evenly spread out throughout the day. You'd probably also need some script to automatically update all of the dates of each commit when a new commit is made to ensure that they are spread evenly.

[–] Kalcifer 4 points 2 months ago

leak

In case the usage of that word is core to your argument, note that I have changed it from "leaks" to "exposes".


So a documented core aspect of the tool is a leak.

A service/tool being documented doesn't necessitate that that service/tool is private. All large social media companies, which seem to universally be understood as the antithesis to privacy, have very detailed terms and conditions that outline exactly what those services do. Do you think those services should be regarded as private because what they do is documented…?


Impressive research

I'm not sure why the condescension is warranted.

[–] [email protected] 8 points 2 months ago* (last edited 2 months ago) (2 children)

Ah shit... I always assumed it was just a nix timestamp. What's the use of storing the timezone? :/

Anti Commercial-AI license

[–] Kalcifer 4 points 2 months ago

What’s the use of storing the timezone?

Imo, mostly QoL.

[–] [email protected] 2 points 2 months ago* (last edited 2 months ago) (1 children)

Because if we are in different zones we could both commit around 09:00 local time, so then it would seem we both committed at the same instance in time, which we didn't.

If we were both running UTC it could work, I guess; otherwise the order of commits would stop making sense.

edit: unless you meant to auto-convert the local time to a unix timestamp, that could work. I'm overthinking stuff.

[–] Kalcifer 4 points 2 months ago* (last edited 2 months ago)

I guess; otherwise the order of commits would stop making sense.

Fundamentally, Git doesn't require commits to be dated (I'm assuming some things about the protocol here — there might be something in the source code that does a check, but my point will still stand). Version control only cares about the changes from one thing to the next. The time at which the change occurred is irrelevant for this end. Things like committer names, committer emails, commit times, commit messages, etc. are QoL additions on top of what I view as the base git protocol. I'm not sure if there is an RFC which outlines Git in more detail, though. If someone is aware of such a standard, please share it.


unless you meant to auto-convert the local time to a unix timestamp, that could work. I’m overthinking stuff.

Personally, that's what I presumed they were referring to. Either that, or just storing a UTC time. Technically, I suppose storing UTC is effectively storing a timezone, but not in the sense of what this post is talking about.