Tell HN: Startups harvesting GitHub commit emails for marketing purposes
I recently received an starting like this:
> Hi fouric,
> I found your email from one of your GitHub repository while checking for a solution.
> Being in the software engineering industry, I am reaching out for your valuable inputs on our product called "Language Lens" [...]
The email attached to my GitHub account isn't exposed in my profile - the only way this individual would have gotten my email from GitHub would have been too scrape my commit messages.
Needless to say, I didn't request or consent to this.
All y'all might want to make sure that the email attached to your commits is something you're not afraid to receive spam like this at.
119 comments
[ 5.3 ms ] story [ 263 ms ] threadI have never signed my commits because I see absolutely no reason to (my repositories are all small personal projects that nobody uses), and I haven't gotten around to setting up a proper key management workflow with my password manager. Maybe I need to start signing them!
Anti-Googler: Produce prodigious amounts of comments on the Internet about Google and approximately zero code
I mean, really? It's a shell script wrapped as a package to gain traction. What has the state of the Dev world become, indeed ...
But no. This is actually just a small shell script as you said. Insane!
https://docs.github.com/en/account-and-profile/setting-up-an...
I can make a free email very easily. Having a "real" gmail in the logs means nothing.
>Getting recruiter spam is a good problem to have.
Easy for you to say. Not everyone wants that. Sign up for your own recruiters then...
Its not even about what you do, worse, its what they believe you did. And this is a factor you cannot possibly control.
This is both novel and incredibly useful to me. I know that I'm going to have to go through my old commits and do something awful like filter-branch in order to rewrite all of the email addresses, but this feature will at least make sure that I don't then accidentally push a commit with my real address again. Thank you!
I use bogus emails like no-reply@localhost. I quite literally don't give a single care in the world what someone wants to say to me, or why. I'd rather select the times when I accept inbound comms. This is a big reason I do not carry a phone, and use one maybe once a month to organize the next cycle with my coconspirators.
I don't dislike people at all, but to contact me after the effort is taken to not be contacted is rude. I wish there were a license that could be used seriously that consists of:
This is forkware
Don't bother me
I'm a nice guy and enjoy sharing. Let's take doritos as an example. I'll share my doritos with you, but I'm not interested in the pleasantries like your analysis of why modern doritos are terrible little crunchy cardboard chunks that mouthfuck your tastebuds into submission. I even don't want to know about the ones I agree with, like how a modern mountain dew most deliciously compliments the retro doritos if you can still find them.
I don't mind if you use my code, I don't care if you take my name off it, or put it on, or write it on your arm, I don't care. Go sell it to facebook if that makes your day. If I change my mind I'll put a license on the next version, but I haven't reached that point yet, so the obese and overbearing MIT license it is, until then.
But know this: Don't you even think about contacting me for anything. I am not a business, I have a fondness for the idea that the byproduct of my struggles may help a stranger without my knowledge. I prefer to live while littering artifacts of what I make so that maybe someone else stuck in the same spot can get some relief.
Why do people think that for me to give away some code I now have to have a support staff of one?
You've got the entire game fucked up. Don't @ me.
> But know this: Don't you even think about contacting me for anything.
This got angry and weird real quick.
But don't you email me, you nice and wonderful person.
Though I'd say people will assume you're poor at "online presence" or something before assuming you don't want to be contacted.
I remember decades ago the email address in the code being the “resume” for people. People using the Linux mailing list for example to “harvest” emails to contact those people about employment.
I think it’s fair to say if you share your email address out in an open source project and give away it’s code, it is an open invitation to contact the person. After all, the purpose of the email address is generally for contacting people.
If you don’t want to be contacted, you already have a solution: don’t use a real email address. But if you are putting your email address out there in public these days, the ONLY reason you are doing that is to be contacted.
Craigslist growth hack —very early on, anyone who listed on Airbnb could cross-list on Craigslist with one click, Airbnb helped by filling out all Craigslists forms with a ‘bot.’ The hack required some technical gnarl to perform, but it was perfect for this early stage. The team also appeared to look for all listings of vacation properties being listed on Craigslist, and emailed the owners to list also on Airbnb. Yes, it’s spam. But yes, it worked.
(1) https://www.linkedin.com/pulse/20140918020352-142089-airbnb-...
That was arguably expressly disallowed on CraigsList since very early on. (Post pages would have a checkbox for whether people could contact you for other purposes, and displayed/scraped posts would indicate how the poster answered. I don't see how "growth hackers" could've missed that.)
CL was built on a Californian flavor of warm-fuzzy, and it was a shame to see Californian-style startups then abuse that. (Well, when CL grew mainstream, the anonymity and hookups attracted sketchiness, but was another corruption.)
Everyone wants to keep their data secret, but no one wants to respect others wishes.
Discord also has a similar message in their console.
https://cdn.discordapp.com/attachments/711974054088933446/96...
Nowadays it’s called illegal. At least in the EU.
https://gdpr.eu/
It's quite comprehensive, but article 4 on consent.
Does anyone here think an open source blocklist for domains associated with this developer-targeted spam would be useful?
you just need to do a git clone and you get all the email addresses in the commit history of a repository.
unless you're talking about your publicly displayed email address (visible to logged-in users), which I believe is not shown by default and can be disabled easily.
I understand and respect that some people may prefer to stay anonymous. But if you are hiding your email just to fight spam, I don't think it's worth it. I prefer being easily reachable and dealing with a few spam emails that get through the filter.
I’m not spamming, and I’ve never gotten a negative response. It’s just that some people don’t think about setting up a personal site / publishing contact info.
And it's the same one in one of the commits: https://github.com/fouric/lightning-cd/commit/db619ad363227e...
Anyway, do you have a problem with people reaching out to you via email that you leave in the commit, or specifically automated scraping of email from commits? I think the former is fine and by design.
You can always put something else there (e.g. GitHub's anonymized addresses) or leave it empty.
If enough people mark as spam it’ll go to spam for everyone else so it’s pretty self-correcting.
Lots of companies are scraping data and lots of companies are buying, aggregating, and selling data to each other.
https://www.troyhunt.com/8-million-github-profiles-were-leak...
Now if you are in Europe/related, you could try to go the GDPR way, which TBH I don't know at all what it entails here.
Then you have to force push.
Note, you will still have the same number of commits in the same order with the same diffs, but they will be new commit ids.
You’re “rewriting” your history. Which in the case you outline is perfectly fine. But note, anyone who’s pulled down the branches you’re changing will need to reset rather than pull your changes otherwise git will attempt to MERGE the new history with the old one.