Allow users to use alternative identities for commits made online (BB-9432)

Issue #8302 closed
Miroslav Koškár
created an issue

Now when user does online edits / merges, email address used for record such commits is the "primary" one. That address is however used also for account related notifications and mainly for login and password recovery.

Hence, by doing online edits this email address is compromised.

This could be prevented if user had the option to instruct system to use other verified email address, preferably one matching his regular public Git identity.

Comments (10)

  1. Marcus Bertrand staff

    Thanks for the suggested feature. If you are concerned that your public commits expose an email you aren't comfortable sharing, for now, please change your primary email on your account to the one you wish to show up on your commits.

  2. Miroslav Koškár reporter

    It's not about that I'm not comfortable sharing email address, it's already shared in rest of Git history. The thing is that whatever email address I choose as primary it is the very same address I use to login or recover my password. So basically anybody knows half of my credentials without effort. It's a security leak. Of course I posses the email access, but now attacker knows what to target. So what you've suggested is not workaround for this issue.

  3. WiFi_Man

    I just had my account email leaked, without warning, in the Author line forged by Bitbucket for a pull request merge. I don't see a way to reopen this issue.

    As of this writing, #6106 is also not fixed, so I'll probably not be using the pull request feature on anyone else's repositories.

  4. Log in to comment