Issue #9424 invalid

Mixing identities

Eyal Fink
created an issue

I have two identities at bitbucket https://bitbucket.org/efink https://bitbucket.org/eyal_yowza

The first is my personal, the second is my work.

I've create a repository with efink and was trying to keep it separate from my other identity.

I'm not sure why and how but if you look at the commits you inconsistency, from the overview page: https://bitbucket.org/efink/latex-comments-extension it looks like efink did the commits. from the commits page: https://bitbucket.org/efink/latex-comments-extension/commits/branch/master it looks like eyal_yowza did the commits.

I'm using two different browsers for these two users and using two different ssh keys.

Comments (3)

  1. Eyal Fink reporter

    It seems that the way this mixing happens is that on my local clone of the repository i was using my default ~/.gitconfig in which the user section state my work email.

    Now I understand what i'm seeing - efink is doing the push to the bitbucket repository and eyal_yowza did the commits.

    This looks like a security/privacy issue! You are linking a commit to a user profile by trusting an email address which is not verified. This leaks user information.

  2. Michael Frauenholtz staff

    Hi Eyal,

    We don't consider this a security issue or feel that we are leaking information. We do not change any permissions based on the commit email address. We simply try to show the best match for a commit author to a Bitbucket user.

  3. Eyal Fink reporter

    I think there are two holes here 1. The connection between my working email and the bitbucket user is not public information and you exposing it to someone who knows my email. 2. I can very easily create the impression that someone else is working with me, for instance, if I'll do a local commit to my repo with the email jespern@bitbucket.org and then push it, people which are looking on my project will get the impression that Jesper Nøhr is working with me (I didn't test it as I wanted to test it but my co-worker warned me that I might find my self banned from the US for violating federal lows :) )

    I understand the complexity of solving this issue while still keeping the benefit of linking a commit to a user but I still think the issue is valid.

  4. Log in to comment