On Mon, Sep 19 2022, brian m. carlson wrote: > [[PGP Signed Part:Undecided]] > On 2022-09-19 at 11:20:13, Ævar Arnfjörð Bjarmason wrote: >> I.e. I think a "deadname" use-case of this would probably: >> >> * Have some comment at the top of .mailmap about why some values are >> over-encoded (or perhaps it would be obvious to everyone working on >> that repo why someone was encoding the "plain ASCII" A-Za-z0-9 space). > > I don't think we need to do this. First of all, it makes people curious > and nosy, and it draws attention to the situation when in many cases, > other contributors might not even notice as they're updating the > mailmap. Sure, to clarify I meant this is something that a downstream project using the .mailmap might want to add, or they might now. > Adding lots of attention is going to add the potential for > harassment. I'm in no way minimizing that potential for harassment, doxxing etc., in fact I'm vehemently agreeing whith that point. But I think this gets to the crux of our disagreement. I think it would be irresponsible of us to provide a feature that looks as though it can in any way mitigate those concerns. If you're someone that's worried about being harassed if someone makes the link from your previous identity Y to your current identity X where you already have Y as part of a public git history. The right answer is to not submit a change to the .mailmap to explicitly connect the two. >> But should not: >> >> * Assume that other tools such as "fsck", "check-mailmap" or even "log" >> won't have future features that make de-obscuring these values easier, >> or something that's part of a normal workflow. > > Your statement that you intended to write exactly such a feature was the > main reason I dropped the SHA-256 hashed mailmap series. I don't think > it's constructive to offer or propose to offer such a feature in Git if > we're trying to obscure people's names in the mailmap, and as such I > would want to see a guarantee that we wouldn't implement or accept such > a feature. I don't see the point of obscuring names in the mailmap if > we're just going to print them next to each other in the future, and I > don't think it's moving us towards a solution to suggest that we might > do that in the future. I haven't gone back and re-read that whole thread, but I think I was mainly pointing out that we or someone else can and probably will write the trivial reverse mapping. Hence my point above, even if we carefully scrutinize every change to git.git to ensure that we never implement a feature that de-hashes the hashes you proposed all it'll take to defeat the entire mechanism is something trivial like: diff -u <(git log) <(git log --no-mailmap) > I'm happy to resurrect my SHA-256 hashed mailmap series if we're > all willing to agree to not implement trivial decoding features. I'd think you'd want to be really clear about what that forward promise would entail. E.g. I've sometimes wanted a way for "git log" to report when it munges commits due to adding notes, re-encoding the data etc. If someone submits that sort of feature should it always explicitly leave out mailmap-related rewrites? And even if it does, who do we think we're really helping in the end, given the trivial way you could get that with an external "diff" with the one-liner above? > I also have an alternate proposal which I pitched to some folks at Git > Merge and which I just finished writing up that basically moves personal > names and emails out of commits, replacing them with opaque identifiers, > and using a constantly squashed mailmap commit in a special ref to store > the mapping. This doesn't address changing identities in existing > commits, which as we've seen are nearly impossible to fix, but it does > address new ones. I've sent it out at > https://lore.kernel.org/git/20220919145231.48245-1-sandals@xxxxxxxxxxxxxxxxxxxx/. As I understand the difference in this scenario a hypothetical future repo's Y commit's authorship would have been opaque in the first place using this mechanism, and via your "refs/mailmap" you'd have mapped Y=Bob. You then make a future X commit, and map X=Alice, and have a .mailmap entry which mapped Y=X, but that entry would refer to the opaque value. That certainly changes things in a fundamental way, and goes most or all of the way to mitigating what I've been pointing out as a flaw in these proposals. I'd still be very much on the fence about whether we'd ever want to recommend that to someone concerned with "harassment" and the like (as opposed to a milder social preference), as all it would take to get to that point is someone having a copy of the older "refs/mailmap" to unmask the previous "Y".
