Git records the local timezone when a commit is made [1]. Knowledge of the timezone in which a commit was made could be used as a bit of identifying information to de-anonymize the committer.
Setting one's timezone to UTC can help mitigate this issue [2][3] (though, ofc, one must still be wary of time-of-day commit patterns being used to deduce a timezone).
References
- Git documentation. git-commit. "Date Formats: Git internal format". Accessed: 2024-08-31T07:52Z. https://git-scm.com/docs/git-commit#Documentation/git-commit.txt-Gitinternalformat.
It is
<unix-timestamp> <time-zone-offset>
, where<unix-timestamp>
is the number of seconds since the UNIX epoch.<time-zone-offset>
is a positive or negative offset from UTC. For example CET (which is 1 hour ahead of UTC) is+0100
. - jthill. "How can I ignore committing timezone information in my commit?". Stack Overflow. Published: 2014-05-26T16:57:37Z. (Accessed: 2024-08-31T08:27Z). https://stackoverflow.com/questions/23874208/how-can-i-ignore-committing-timezone-information-in-my-commit#comment36750060_23874208.
to set the timezone for a specific command, say e.g.
TZ=UTC git commit
- Oliver. "How can I ignore committing timezone information in my commit?". Stack Overflow. Published: 2022-05-22T08:56:38Z (Accessed: 2024-08-31T08:30Z). https://stackoverflow.com/a/72336094/7934600
each commit Git stores a author date and a commit date. So you have to omit the timezone for both dates.
I solved this for my self with the help of the following Git alias:
[alias] co = "!f() { \ export GIT_AUTHOR_DATE=\"$(date -u +%Y-%m-%dT%H:%M:%S%z)\"; \ export GIT_COMMITTER_DATE=\"$(date -u +%Y-%m-%dT%H:%M:%S%z)\"; \ git commit $@; \ git log -n 1 --pretty=\"Autor: %an <%ae> (%ai)\"; \ git log -n 1 --pretty=\"Committer: %cn <%ce> (%ci)\"; \ }; f"
Cross-posts:
This seems like a weird thing to be concerned about. Any given time zone there are going to be millions if not billions of people.
Git also "leaks" your system username and hostname IIRC by default which might be your real name. A fake name and email would pretty much be sufficient to make any "leaked" time zone information irrelevant.
Granted... I wonder if stuff like this is how they caught those North Korean "employees."
https://arstechnica.com/?p=2042326
FWIW, I'd also suggest just picking the wrong time zone (but a close one) over UTC or something like that. UTC seems like it's just "HEY LOOK AT ME! I'M TRYING TO HIDE SOMETHING!" One on the other side of the world, if you sleep like most people, could be defeated by doing an analysis of when the commits were made on average vs other folks from random repositories to find the average time of day and then reversing that information into a time zone.
It's better to be "Jimmy Robinson in Houston Texas" than "John Smith in UTC-0"
This is the first thing I thought of upon reading the title, and I swear I've read a writeup of something that included this as a lead that led to identifying an individual (i.e. commit timestamps)
It's also in the post body.