Git records the local timezone when a commit is made [1]. Knowledge of the timezone in which a commit was made could be used as a bit of identifying information to de-anonymize the committer.
Setting one’s timezone to UTC can help mitigate this issue [2][3] (though, ofc, one must still be wary of time-of-day commit patterns being used to deduce a timezone).
References
- Git documentation. git-commit. “Date Formats: Git internal format”. Accessed: 2024-08-31T07:52Z. https://git-scm.com/docs/git-commit#Documentation/git-commit.txt-Gitinternalformat.
It is
<unix-timestamp> <time-zone-offset>
, where<unix-timestamp>
is the number of seconds since the UNIX epoch.<time-zone-offset>
is a positive or negative offset from UTC. For example CET (which is 1 hour ahead of UTC) is+0100
. - jthill. “How can I ignore committing timezone information in my commit?”. Stack Overflow. Published: 2014-05-26T16:57:37Z. (Accessed: 2024-08-31T08:27Z). https://stackoverflow.com/questions/23874208/how-can-i-ignore-committing-timezone-information-in-my-commit#comment36750060_23874208.
to set the timezone for a specific command, say e.g.
TZ=UTC git commit
- Oliver. “How can I ignore committing timezone information in my commit?”. Stack Overflow. Published: 2022-05-22T08:56:38Z (Accessed: 2024-08-31T08:30Z). https://stackoverflow.com/a/72336094/7934600
each commit Git stores a author date and a commit date. So you have to omit the timezone for both dates.
I solved this for my self with the help of the following Git alias:
[alias] co = "!f() { \ export GIT_AUTHOR_DATE=\"$(date -u +%Y-%m-%dT%H:%M:%S%z)\"; \ export GIT_COMMITTER_DATE=\"$(date -u +%Y-%m-%dT%H:%M:%S%z)\"; \ git commit $@; \ git log -n 1 --pretty=\"Autor: %an <%ae> (%ai)\"; \ git log -n 1 --pretty=\"Committer: %cn <%ce> (%ci)\"; \ }; f"
Cross-posts:
Wait until you find out about build systems
How do you mean?
Often times the final build will have the information from the system including the hostname and username
That would certainly also be worthy of concern.
Not really as those are public things. Dhcp is more of a issue.
Not really as those are public things.
Would you mind citing an example of exactly what you are referring to? I feel like I’m presuming a lot of things in your statements here.
Dhcp is more of a issue.
I don’t know if it’s “more”, or “less” of an issue, but all these things are worthy of concern.
It’s not leak when it’s an intended and documented feature…
Fair point. I think “leak” is likely the wrong term to use here. “Exposes” is probably a better one. I’ll update the post promptly.