27 comments

[ 3.4 ms ] story [ 61.5 ms ] thread
That's basically the idea behind https://reporeach.com
How can you tell? This website doesn't explain what the product is, how it works, or even bother with a privacy policy.
It also requires registration to use it.

    [+] login : zellyn
    [+] id : 33625
    [+] avatar_url : https://avatars.githubusercontent.com/u/33625?v=4
    [+] name : Zellyn Hunter
    [+] company : Square
    [+] blog : http://www.zellyn.com/
    [+] location : Atlanta
    [+] bio : Programmer at Square. Mostly (currently) Go.
    [+] public_repos : 52
    [+] public_gists : 47
    [+] followers : 101
    [+] following : 20
    [+] created_at : 2008-11-10T13:26:38Z
    [+] updated_at : 2025-03-03T00:51:46Z
    [+] public_gists : https://gist.github.com/zellyn
    [+] SSH_keys : https:/github.com/zellyn.keys
    [+] email : hippytrail@gmail.com zellyn@squareup.com tomcw@users.noreply.github.com zellyn@gmail.com
Pretty much spot on, except for the emails. The ones with username `zellyn` are correct; the others are people who've contributed changes to repos I created (I think).
Seems like its more trouble than just appending .patch to a commit.
Who does this benefit besides spammers?
People who want to make sure that nothing wrong is shared with spammers or the world in general?
Why would you want that?

I would, in general, prefer that incorrect information about me was shared with spammers, if any information is shared. Ditto for most third parties that I don't have a direct relationship with or ongoing conversation. And even then, usually the information they need about me is pretty limited.

nothing wrong = nothing I want out there. not talking about security through obfuscation
Stalkers and abusers
Or people who want to double check if they are not vulnerable to stalking and abuse by a silly mistake.
Knowing what malicious actors are capable of is important for protecting yourself against them.
Just as recruiters were stopping to spam me via GitHub...
ok, but it doesn't actually tell you anything new except the email

everything else is literally just the info on the github profile page

And I assume the emails are obtained from the commits' metadata, which is known to show your email when you upload code to Github.
Email is visible in commit messages. So nothing new at all
I do feel you have a bit of an ethical obligation to also have a "how to avoid leaking this information" section in your README.
You may not be the creator, but the intent of this repo appears to be at odds with GitHub's acceptable use policies.

For anyone else dealing with recruiters or companies spamming you from your github commit email, it's reportable under information usage restrictions and privacy.

https://docs.github.com/en/site-policy/acceptable-use-polici...

Uh couldn't you use the Events API to more efficiently go through someone's recent commits?

    def findEmailFromContributor(username, repo, contributor):
        response = requests.get('https://github.com/%s/%s/commits?author=%s' % (username, repo, contributor), auth=HTTPBasicAuth(username, '')).text
        latestCommit = re.search(r'href="/%s/%s/commit/(.*?)"' % (username, repo), response)
        if latestCommit:
            latestCommit = latestCommit.group(1)
        else:
            latestCommit = 'dummy'
        commitDetails = requests.get('https://github.com/%s/%s/commit/%s.patch' % (username, repo, latestCommit), auth=HTTPBasicAuth(username, '')).text
        email = re.search(r'<(.*)>', commitDetails)
Correct me if I'm wrong, but isn't this feature already in Github API Tools?Project dashboards and contributors' e-mail addresses can already be seen in the free Github API Tools.At this point, the only advantage may be to compile all the information together.When data is requested in Json format, Github shares most of the data for free.