Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pull request "Squash and merge" button changes author details #1368

Open
jmarshall opened this Issue Sep 19, 2018 · 13 comments

Comments

Projects
None yet
7 participants
@jmarshall
Copy link

jmarshall commented Sep 19, 2018

samtools/hts-specs#339 was a pull request consisting of a single commit:

commit 28c558e0bc7e112b8b7674baf9da5c5cdbd860f8 (range-desc)
Author:     John Marshall <John.W.Marshall@glasgow.ac.uk>
AuthorDate: Fri Sep 14 22:26:33 2018 +0100
Commit:     John Marshall <John.W.Marshall@glasgow.ac.uk>
CommitDate: Fri Sep 14 22:26:33 2018 +0100

It was merged using the GitHub UI "Squash and merge" button (so that it would be rebased onto the current tip of origin/master) leading to the following commit on the main repository's master:

commit 98de888fb25b856fac74ae27023f1f5300752240 (origin/master, origin/HEAD)
Author:     John Marshall <jmarshall@users.sourceforge.net>
AuthorDate: Wed Sep 19 09:41:21 2018 +0100
Commit:     Andrew Yates <andrewyatz@users.noreply.github.com>
CommitDate: Wed Sep 19 09:41:21 2018 +0100

As expected, the Committer and CommitDate have been altered to reflect the person who pressed the merge button.

The AuthorDate has been altered by GitHub to be the same as CommitDate, but this is incorrect — the commit was still originally authored on Friday 14th.

The AuthorEmail has been altered by GitHub to be the default email address associated with the @jmarshall GitHub account at the time. This is very incorrect, as I do not use this email address when doing work on samtools/hts-specs.

When the "Squash and merge" button is being used to squash several commits from different authors, there is an argument to be had that Author/AuthorDate could be updated in some way (or GitHub could just follow what git does in this case).

When the "Squash and merge" button is being used to squash several commits from the same author (so AuthorName and AuthorEmail are the same, which is trivially true when there is only one commit), it is a bug to change the author's listed AuthorName or AuthorEmail.

@jmarshall

This comment has been minimized.

Copy link
Author

jmarshall commented Sep 21, 2018

Reply from support@github.com:

Thanks for writing in about this! I'll pass your feedback along to the team. In the meantime, if you have the person who authored the PR itself squash and merge the PR, we retain more information about the author, so that might be a workaround for you in certain circumstances.

The workaround suggested is unworkable because the PR's author is not the maintainer of the code in question, so does not have the authority to review or merge the PR.

The real workaround is for the maintainer to do the merge using the git command line instead of GitHub's UI, but then we will likely run into #2.

@jmarshall

This comment has been minimized.

Copy link
Author

jmarshall commented Oct 5, 2018

samtools/hts-specs#335 is a PR that was merged via the GitHub UI (likely also with the "Squash and merge" button), resulting in the commit samtools/hts-specs@eb9d612 on master:

commit eb9d6127c89b7fe8d08c13c4e877ba3ad33af4fe
Author:     John Marshall <John.W.Marshall@glasgow.ac.uk>
AuthorDate: Tue Sep 4 11:42:42 2018 +0100
Commit:     Mike Lin <mlin@mlin.net>
CommitDate: Sun Sep 16 14:23:18 2018 -0700

Here the original AuthorDate and AuthorEmail have been retained, as expected. So the arguably incorrect date behaviour and the clearly incorrect email behaviour are a recent change, deployed on GitHub.com somewhere between September 16th and 19th.

@aspiers

This comment has been minimized.

Copy link
Collaborator

aspiers commented Oct 5, 2018

This seems to be a rough duplicate of #1303, although it does helpfully provide a lot more details.

@jmarshall

This comment has been minimized.

Copy link
Author

jmarshall commented Oct 5, 2018

@aspiers: #1303 is a complaint (filed in July) that a particular project maintainer didn't appropriately preserve Author information when rebasing the OP's commits, and a request for a GitHub enhancement to preserve the original Authors informations outwith git when squashing commits from several authors in the UI.

This is a bug report about a behaviour change in September. The two pertain to related areas of functionality, but are not duplicates.

@jmarshall

This comment has been minimized.

Copy link
Author

jmarshall commented Oct 7, 2018

Upon further testing, I see that AuthorName is also affected.

Whatever you carefully set up your Name and Email address to be, e.g., via bespoke user.name and user.email config entries appropriate for the particular repository, if your PR is merged via the GitHub UI “Squash and merge” button then in the resulting commit the AuthorName and AuthorEmail will be rewritten behind your back to your GitHub account's profile name and primary email address.

@Stanzilla

This comment has been minimized.

Copy link

Stanzilla commented Nov 2, 2018

Just noticed this as well, see this commit https://github.com/WeakAuras/WeakAuras2/commit/fa75abcc7b618b93d416aaa3f0a6315a2ab486d8.patch that was a Squash & Merge and it used InfusOnWoW as username, while this https://github.com/WeakAuras/WeakAuras2/commit/52de0a0de49afd9f665638227d2a003dd7267750.patch was a Rebase & Merge and it uses Infus as name.

@jmarshall

This comment has been minimized.

Copy link
Author

jmarshall commented Dec 5, 2018

Problem still exists: see PR jmarshall/test@02f15df which became jmarshall/test@2105ce7 on Squash'n'Merging. (Add .patch to those links to see a rawer view of the commits.)

@jmarshall

This comment has been minimized.

Copy link
Author

jmarshall commented Dec 14, 2018

Previously tweeted about here and here.

Followup email sent to support@github.com today, attempting to highlight the personal information disclosure angle. You would think the discarding users' carefully-constructed author information angle would be bad enough to gain attention in itself… — Git has one job — to preserve historical information accurately…

Could you please comment on the status of this bug report. It is a serious issue as it leads to misattribution of commits when a person uses their GitHub account for both e.g. work-related and personal activities.

Suppose I have my GitHub account set up with a profile name of "John Marshall" and a primary email address of my work email address, say john_marshall@workemail.example.

Suppose I contribute to some nethack-style game in the evenings, and set up my clone's repository config such that PRs are submitted with commits like

Author: John the Barbarian <john@gameplayers.example>

If the game maintainers merge this PR using the "squash & merge" button, the resulting commit on master will have its author information rewritten by GitHub to

Author: John Marshall <john_marshall@workemail.example>

This is wildly inappropriate and constitutes a doxxing of the user's work persona. (If several email addresses associated with the same GitHub account are on commits in different projects, to be sure it's not too hard to discover the other associated email addresses. However this bug reduces the effort required to zero and writes the work persona into the game repository's permanent commit history.)

Please comment as to whether GitHub accepts the seriousness of this issue, and what steps are being taken to fix it.

@jmarshall

This comment has been minimized.

Copy link
Author

jmarshall commented Jan 7, 2019

Reply received from GitHub Support on January 2nd:

Hey John,

My sincerest apologies for the delay in our response!

It looks like our Engineering Team are currently working on investigating the contribution attribution logic for Squash Merges. There isn't any concrete decisions taken place as yet but it does seem to be moving forward.

We appreciate your patience on this one and as soon as we have an update for you we'll be in touch.

Problem still exists unchanged on retesting today; my reply to Support, sent today:

Dear [Support],

Thank you for your reply. Could GitHub please comment on whether it considers this to be a serious and significant issue?

To my mind GitHub has been misidentifying these commits since September, and I would expect Engineering to want to revert September's logic change immediately (so as to stop adding more incorrectly-attributed commits to project histories) while they continue to work on further logic changes.

@peterjc

This comment has been minimized.

Copy link

peterjc commented Jan 7, 2019

To clarify, my down-thumbs reaction 👎 on John's update today was about the lack of any movement from GitHub.

I often do squash-and-merge commits of pull requests, but thus far haven't had anyone complain - people setting their commit authorship differently to their Github profile must be a minority? However, they would be a tech savvy minority ...

@jmarshall

This comment has been minimized.

Copy link
Author

jmarshall commented Jan 14, 2019

Reply received from Support today:

The Issue has been marked as Priority 1 and is currently being investigated by our Engineering Team.

Thanks (assuming 1 = high!). Insert here standard concern about “no response” and “bug report disappeared into the void” being indistinguishable…

GitHub has supported attaching multiple email addresses to each GH account for many years. This author rewriting goes directly against this, so once again it seems astonishing that the September behaviour was ever deployed…

@negebauer

This comment has been minimized.

Copy link

negebauer commented Mar 13, 2019

When editing a file from Github's UI you can actually select which email to use

image

But when merging a PR you can't, it should be an option too!

(Kinda related to this issue)

@jmarshall

This comment has been minimized.

Copy link
Author

jmarshall commented Mar 13, 2019

@negebauer: This issue is a history corruption bug that was introduced last September. The UI limitation you mention is issue #95 (see #95 (comment) and following).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.