Git records the local timezone when a commit is made [1]. Knowledge of the timezone in which a commit was made could be used as a bit of identifying information to de-anonymize the committer.

Setting one’s timezone to UTC can help mitigate this issue [2][3] (though, ofc, one must still be wary of time-of-day commit patterns being used to deduce a timezone).

References
  1. Git documentation. git-commit. “Date Formats: Git internal format”. Accessed: 2024-08-31T07:52Z. https://git-scm.com/docs/git-commit#Documentation/git-commit.txt-Gitinternalformat.

    It is <unix-timestamp> <time-zone-offset>, where <unix-timestamp> is the number of seconds since the UNIX epoch. <time-zone-offset> is a positive or negative offset from UTC. For example CET (which is 1 hour ahead of UTC) is +0100.

  2. jthill. “How can I ignore committing timezone information in my commit?”. Stack Overflow. Published: 2014-05-26T16:57:37Z. (Accessed: 2024-08-31T08:27Z). https://stackoverflow.com/questions/23874208/how-can-i-ignore-committing-timezone-information-in-my-commit#comment36750060_23874208.

    to set the timezone for a specific command, say e.g. TZ=UTC git commit

  3. Oliver. “How can I ignore committing timezone information in my commit?”. Stack Overflow. Published: 2022-05-22T08:56:38Z (Accessed: 2024-08-31T08:30Z). https://stackoverflow.com/a/72336094/7934600

    each commit Git stores a author date and a commit date. So you have to omit the timezone for both dates.

    I solved this for my self with the help of the following Git alias:

    [alias]
    co = "!f() { \
        export GIT_AUTHOR_DATE=\"$(date -u +%Y-%m-%dT%H:%M:%S%z)\"; \
        export GIT_COMMITTER_DATE=\"$(date -u +%Y-%m-%dT%H:%M:%S%z)\"; \
        git commit $@; \
        git log -n 1 --pretty=\"Autor: %an <%ae> (%ai)\"; \
        git log -n 1 --pretty=\"Committer: %cn <%ce> (%ci)\"; \
    }; f"
    

Cross-posts:

  • ExtremeDullard@lemmy.sdf.org
    link
    fedilink
    arrow-up
    26
    ·
    3 months ago

    It’s not the only thing that leaks timezone data, and the fix is identical: have the machine pretend you’re in UTC.

    For example: if you enable Resist Fingerprinting (RFP) in Librewolf, it will lie to websites and pretend your timezone is UTC - because of course timezone is one of the factors used to fingerprint you - and all the sites you visit that show you your local time, or depend on your local time for something or other, will show you the wrong time. And that’s how you know it works 🙂

    • Kalcifer@sh.itjust.worksOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      3 months ago

      have the machine pretend you’re in UTC.

      That is a possible solution, though not exactly the most convenient, imo. That is, if I understand you correctly that you are talking about setting the OS timezone to be UTC.

    • viking@infosec.pub
      link
      fedilink
      arrow-up
      3
      arrow-down
      4
      ·
      3 months ago

      And that’s the reason why I don’t use it, I need specific websites that access my local time, and apparently whitelisting is not a thing.

      • Possibly linux
        link
        fedilink
        English
        arrow-up
        12
        ·
        edit-2
        3 months ago

        Often times the final build will have the information from the system including the hostname and username

          • Possibly linux
            link
            fedilink
            English
            arrow-up
            1
            ·
            3 months ago

            Not really as those are public things. Dhcp is more of a issue.

            • Kalcifer@sh.itjust.worksOP
              link
              fedilink
              English
              arrow-up
              1
              ·
              3 months ago

              Not really as those are public things.

              Would you mind citing an example of exactly what you are referring to? I feel like I’m presuming a lot of things in your statements here.


              Dhcp is more of a issue.

              I don’t know if it’s “more”, or “less” of an issue, but all these things are worthy of concern.

    • Kalcifer@sh.itjust.worksOP
      link
      fedilink
      arrow-up
      11
      ·
      3 months ago

      Fair point. I think “leak” is likely the wrong term to use here. “Exposes” is probably a better one. I’ll update the post promptly.

  • Dark Arc@social.packetloss.gg
    link
    fedilink
    English
    arrow-up
    15
    arrow-down
    1
    ·
    edit-2
    3 months ago

    This seems like a weird thing to be concerned about. Any given time zone there are going to be millions if not billions of people.

    Git also “leaks” your system username and hostname IIRC by default which might be your real name. A fake name and email would pretty much be sufficient to make any “leaked” time zone information irrelevant.

    Granted… I wonder if stuff like this is how they caught those North Korean “employees.”

    https://arstechnica.com/?p=2042326

    FWIW, I’d also suggest just picking the wrong time zone (but a close one) over UTC or something like that. UTC seems like it’s just “HEY LOOK AT ME! I’M TRYING TO HIDE SOMETHING!” One on the other side of the world, if you sleep like most people, could be defeated by doing an analysis of when the commits were made on average vs other folks from random repositories to find the average time of day and then reversing that information into a time zone.

    It’s better to be “Jimmy Robinson in Houston Texas” than “John Smith in UTC-0”

    • kamiheku@sopuli.xyz
      link
      fedilink
      arrow-up
      3
      ·
      3 months ago

      could be defeated by doing an analysis of when the commits were made on average vs other folks from random repositories to find the average time of day and then reversing that information into a time zone

      This is the first thing I thought of upon reading the title, and I swear I’ve read a writeup of something that included this as a lead that led to identifying an individual (i.e. commit timestamps)

      • Kalcifer@sh.itjust.worksOP
        link
        fedilink
        English
        arrow-up
        1
        ·
        3 months ago

        could be defeated by doing an analysis of when the commits were made on average vs other folks from random repositories to find the average time of day and then reversing that information into a time zone

        This is the first thing I thought of upon reading the title

        It’s also in the post body.

    • Kalcifer@sh.itjust.worksOP
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      3 months ago

      Any given time zone there are going to be millions if not billions of people.

      One more bit of identifying information is still one more bit of identifying information.


      Git also “leaks” your system username and hostname IIRC by default which might be your real name.

      This is only part of a fallback if a username and email is not provided [1].

      References
      1. Git. Reference Manual. git-commit. “COMMIT INFORMATION”. Accessed: 2024-08-31T23:30Z. https://git-scm.com/docs/git-commit#_commit_information.

        In case (some of) these environment variables are not set, the information is taken from the configuration items user.name and user.email, or, if not present, the environment variable EMAIL, or, if that is not set, system user name and the hostname used for outgoing mail (taken from /etc/mailname and falling back to the fully qualified hostname when that file does not exist).


      A fake name and email would pretty much be sufficient to make any “leaked” time zone information irrelevant.

      Perhaps only within the context where one is fine with being completely unidentifiable. But this doesn’t consider the circumstance where a user does want their username to be known, but simply don’t want it to be personally identifiable.


      UTC seems like it’s just “HEY LOOK AT ME! I’M TRYING TO HIDE SOMETHING!”

      This is a fair argument. Ideally, imo, recording dates for commits would be an optional QoL setting rather than a mandatory one. Better yet, if Git simply recorded UTC by default, this would be much less of an issue overall.


      if you sleep like most people, could be defeated by doing an analysis of when the commits were made on average vs other folks from random repositories to find the average time of day and then reversing that information into a time zone.

      I mentioned this in my post.


      It’s better to be “Jimmy Robinson in Houston Texas” than “John Smith in UTC-0”

      That decision is contextually dependent.