[thedoctor79]

So it seems the author has identified a real issue here, but I will go meta on this and identify issues with his demonstration. In my organization this would count as a bug report, so I wondered why this issue was not communicated privately to the operators of Github so they can have a chance to fix it before some un-educated person does some damage. Then I realized this issue might affect other git content hosters, so going public might alert them as well as forcing Github to fix it. Regardless, would the best approach not be to communicate privately first and allow Github to fix it before going public? If this was raised privately and not acted upon, then why are Github's internal processes so slow? So many questions, so little time...

[facetube]

I reported this to Github privately about a year ago – specifically, I asked why there isn't some visual indication when Git's `user.email` fails to match any of the Github account's verified e-mail addresses. If you commit with a `user.email` that doesn't match _anyone_, you get a little question mark; it seemed like they could do a similar thing when you commit using a `user.email` that matches someone-who-isn't-you. Even just showing which Github user made the HTTP or SSH connection to push the changeset would be an improvement.

The tech told me that the current behavior was by design, and then pretty much said I didn't know how git worked and didn't understand Github's team/sharing/trust philosophy. I was pretty disappointed by their response, all told.

[ultramancool]

The problem is that "it's not a bug, it's a feature". Look at the Linux kernel mirror for example. All those commits come from different users around the internet, but when their emails show up, GitHub can link their usernames to their profiles.

What to do about this though... that's a good question. Perhaps just not linking profiles when pushed in this way and/or labeling them "unverified" would be sufficient. GPG signing would be nice, but would likely annoy some users.