Git-Privacy

❌ Default Git Privacy ❌

With only 3 commands anyone can find out the dates and exact times, down to the second, that a developer makes commits.

git clone <target-repo>
cd <target-repo>
git log --format=fuller

Over a long enough timespan, exact commit times can be used to deduce private information about a developers life. For instance, their likely timezone and sleep patterns.

📅 Git Timestamps 📅

Git commit objects have 2 or 3 timestamps to worry about. The two main ones are:

• GIT_AUTHOR_DATE represents the time and date the changes were made, not the commit.
• GIT_COMMITTER_DATE represents the time and date the changes were committed.

Removing Timestamps For Commits

Git doesn’t have a way to remove timestamps altogether, but both the GIT_AUTHOR_DATE and GIT_COMMITTER_DATE can be set to any arbitrary date. For maximum privacy, set the GIT_AUTHOR_DATE and GIT_COMMITTER_DATE to any constant date in your shell’s environment variables.

export GIT_COMMITTER_DATE="2000-01-01 00:00:00+0000"
export GIT_AUTHOR_DATE="2000-01-01 00:00:00+0000"

To make the changes permanent, append the commands to ~/.bashrc:

echo -e "export GIT_COMMITTER_DATE=\"2000-01-01 00:00:00+0000\"\nexport GIT_AUTHOR_DATE=\"2000-01-01 00:00:00+0000\"" >> ~/.bashrc

If it’s desirable to retain only the day on which a commit was made, set both the GIT_AUTHOR_DATE and GIT_COMMITTER_DATE like so:

export GIT_COMMITTER_DATE="$(date +%Y-%m-%d) 00:00:00+0000"
export GIT_AUTHOR_DATE="$(date +%Y-%m-%d) 00:00:00+0000"

This provides decent privacy and still meaningful timestamps. To make the changes permanent, append the commands to ~/.bashrc:

echo -e "export GIT_COMMITTER_DATE=\"$(date +%Y-%m-%d) 00:00:00+0000\"\nexport GIT_AUTHOR_DATE=\"$(date +%Y-%m-%d) 00:00:00+0000\"" >> ~/.bashrc

Environment variables don’t change after being set. So the dates update when a new shell is opened, not at midnight.

🔑 Removing Timestamps for Digital Signatures 🔑

It’s important to digitally sign Git commits and especially releases to prevent man-in-the-middle attacks. GPG signatures contain their own timestamps which can be just as bad for privacy as Git timestamps.

Luckily, GPG signature timestamps can also be forged with the option: --faked-system-time <iso>. For this to be persistent, Git needs to run a version of GPG that always forges the system time. Also, the script should exclude GPG version information since that could also leak time information:

#!/bin/bash
gpg2 --faked-system-time <iso>! --no-emit-version --no-comments $@

<iso> can be any time after the GPG signing key was generated. An example iso value is 20201130T000000 for 30 November 2020 at midnight.

Make Git use the new script instead of regular GPG by adding the following lines to your Git config:

[gpg]
        program = gpg2-git

Git will now use a fake system time for every GPG signed commit. Git preserves almost no metadata by design, so privacy is looking pretty good.

📝 Additional Notes 📝

Github is known to record when commits are pushed. See the ticket about Github contribution activity. To obfuscate push times, one could push code with cron at regular time intervals.

It’s possible to use Git hooks to accomplish timestamp obfuscation, but it’s still necessary to manually override the date for some Git commands, making it very inconvenient. The developers of Git should make timestamp obfuscation a feature in order to make doing all this unnecessary.

License

This README file is licensed under CC-BY-SA 4.0.

Mirror:

• Wayback Machine