Git Setup for OpenSource/Public Development

by Steven Cooney
Share on:

If you intend to develop in the public domain on opensource projects, you will need to set up Git. I'm going to outline my git configuration and discuss my approach.

Email Address

When setting up Git, one of the first things you set up is your email address. Often not much thought is given to this step, however, if you use your private email address you are advertising your email address. Consequently, your email address could become subject to spam by a malicious actor who scrapes email address from git history.

For example, below is a screenshot of Wes Bos' awesome-uses repository. You can see several of the contributors have exposed their email addresses when committing to the project.

Image of Git Log

My Configuration

I use the no-reply address for my GitHub account as my git email. On GitHub, you can find your no-reply email address in Settings > Emails > under "Keep my email addresses private".

Image of Git Log

You can then set your git email using this address:

git config --global user.email "30004860+TheYorkshireDev@users.noreply.github.com"

To avoid my email address from being exposed when performing actions through GitHub UI such as edits or merges, I check "Keep my email addresses private".

Finally, I check "Block command line pushes that expose my email" which blocks pushes with commits that include personal email addresses.

Username

When setting up Git, alongside email, you need to set your name. I would recommend using your first and surname for this option, which most people will probably do automatically. It is worth noting if you are thinking of using a pseudonym in Git, it can violate some open source projects contribution guidelines. One such example is the Docker project, so to err on the side of caution, it might be worth sticking to your real name.

Commit Signing

The final thing I have configured for open source development is commit signing. I'm not going to go over the advantages and disadvantages of commit signing in this post, for more details check out this StackExchange post and sub-links. Not everyone agrees on an approach to commit signing, but I tend to sign all my commits.

Generate GPG Key

I recommend following GitHub's official guide for generating GPG keys.

Add a GPG key to your GitHub Account

You will need to have noted down your public key to upload to GitHub. If you didn't, run the following to retrieve it:

gpg --armor --export <EMAIL_ADDRESS>

Again, I recommend following GitHub's official guide for adding a GPG key to your GitHub account.

Configure Local Environment

The following commands configure Git to always sign commits with the GPG key you have just generated.

git config --global user.signingKey <REPLACE\_THIS\_WITH\_YOUR\_KEY\_ID>

git config --global commit.gpgSign true

To verify commit signing is configured, run the following:

echo "test" | gpg --clearsign

What's your Git configuration? Do you have any feedback? Reach out and let's discuss.


If you enjoyed this article, share it with your friends and colleagues!

© 2021 - TheYorkshireDev
Credits