Git records the local timezone when a commit is made [1]. Knowledge of the timezone in which a commit was made could be used as a bit of identifying information to de-anonymize the committer.

Setting one’s timezone to UTC can help mitigate this issue [2][3] (though, ofc, one must still be wary of time-of-day commit patterns being used to deduce a timezone).

References
  1. Git documentation. git-commit. “Date Formats: Git internal format”. Accessed: 2024-08-31T07:52Z. https://git-scm.com/docs/git-commit#Documentation/git-commit.txt-Gitinternalformat.

    It is <unix-timestamp> <time-zone-offset>, where <unix-timestamp> is the number of seconds since the UNIX epoch. <time-zone-offset> is a positive or negative offset from UTC. For example CET (which is 1 hour ahead of UTC) is +0100.

  2. jthill. “How can I ignore committing timezone information in my commit?”. Stack Overflow. Published: 2014-05-26T16:57:37Z. (Accessed: 2024-08-31T08:27Z). https://stackoverflow.com/questions/23874208/how-can-i-ignore-committing-timezone-information-in-my-commit#comment36750060_23874208.

    to set the timezone for a specific command, say e.g. TZ=UTC git commit

  3. Oliver. “How can I ignore committing timezone information in my commit?”. Stack Overflow. Published: 2022-05-22T08:56:38Z (Accessed: 2024-08-31T08:30Z). https://stackoverflow.com/a/72336094/7934600

    each commit Git stores a author date and a commit date. So you have to omit the timezone for both dates.

    I solved this for my self with the help of the following Git alias:

    [alias]
co = "!f() { \
    export GIT_AUTHOR_DATE=\"$(date -u +%Y-%m-%dT%H:%M:%S%z)\"; \
    export GIT_COMMITTER_DATE=\"$(date -u +%Y-%m-%dT%H:%M:%S%z)\"; \
    git commit $@; \
    git log -n 1 --pretty=\"Autor: %an <%ae> (%ai)\"; \
    git log -n 1 --pretty=\"Committer: %cn <%ce> (%ci)\"; \
}; f"

Cross-posts:

  • Kalcifer@sh.itjust.worksOPEnglish
    51·
    19 days ago

    leak

    In case the usage of that word is core to your argument, note that I have changed it from “leaks” to “exposes”.

    So a documented core aspect of the tool is a leak.

    A service/tool being documented doesn’t necessitate that that service/tool is private. All large social media companies, which seem to universally be understood as the antithesis to privacy, have very detailed terms and conditions that outline exactly what those services do. Do you think those services should be regarded as private because what they do is documented…?

    Impressive research

    I’m not sure why the condescension is warranted.