Spam mail via GitHub #9969
Comments
|
Got it too |
|
Open-source translation projects' translation files will have your email address in them because you are an open-source contributor. And that email address is the one identifying you on the Weblate, that is, your Weblate email address. Everyone has access to "open" sources, and Weblate (nor any other open project) cannot prevent scammers from getting their hands on that because of this openness. This is also true for any public project on Github: on every commit you contributed, you have to give an email address to be associated with that commit. Whether it is fake, illegal, or anything else, they become public as soon as you made that commit. (even private ones need email but they are private after all) And, the other thing is, on these open source projects you can only protect your access by a strong password and/or API keys so that nobody else can make a change on your behalf on these projects. So, in short, if you join on any open source project, you cannot prevent others to see the things you are sharing with that project, and the first thing you have to share, fake or not, is an email address. it is just that it must be real to be verifiable for login purposes, and thus you have to accept the fate with spammers. |
|
Having said that, IF you have worked only on a private projects on Weblate and then this happened, you need to start a support conversation suitable for privacy. Otherwise, public projects has the above problem. |
|
The disclosure of email addresses was considered problematic. It is already private by default in the end of 2022. GDPR considers email addresses to be personal information. It should not have been disclosed in this manner.
However, the email address is still embedded in GitHub. It may be used for spam. (PS : Addendum after 1 month) A personal email address is not required.
On Quora it is claimed that it is the use of email on Git as an identifier. |
|
Weblate commits to Git using an address you can configure at https://hosted.weblate.org/accounts/profile/#account. Once the commit reaches a public repository, there is no control how it will be used. You are very well aware of this situation, as it has been already discussed with you at maboroshin/translation#1. I don't see what kind of action you expect here.
PS: This spam is not related to Weblate at all, I got it to addresses which I've used before Weblate existed. |
And because of that, it is not an "Open Source" friendly policy, where at least one single info is needed; an email address (again, fake or not, but preferrably verifiable). |
Then Weblate was born. You still maintain an email address. You will receive mail. it does not matter whether Weblate exists or not. This is a spam email that says it is via GitHub. The leakage route is related to GitHub. I created this email address for Weblate. It's easy to speculate that Weblate is the cause. @yilmazdurmaz : You can do open source development on GitHub without disclosing your email address. |
|
Yes, Weblate does commit to Git under e-mail you choose. Somebody scraping commits on GitHub can easily send spam to such an e-mail address. Still, this is the address of your choice, so you could have picked a private address, or an address you discard. Weblate is not different from GitHub here – you can contribute without disclosing your e-mail address. Yes, it was not possible in the past, but privacy focus evolves, and it was neither possible in the past at GitHub. They definitely implemented this earlier than us. I just don't understand this issue now. What change do you want to achieve? |
|
Spam was sent to the email address disclosed by Weblate. Isn't this an ISSUE? We can consider actions such as : |
No, my friend, NO. Whether you say tomato or tomatoe, does not change the fact of what it is. if you get your hands on one, you would probably eat it. it is no different for when a contributor or a spammer sees your address. All GitHub does is to give you a fake email to use where those open projects do not try to check back because it is on GitHub as well. Those fake addresses are still OPEN, they are just not reply-able. And this still does not change the fact that "you have to share something".
Even Github wouldn't/shouldn't do that, because when you contribution is committed, it is now the responsibility of the project owners/contributor. someone administering the project has to "reset" those commits where your email exists, and/or change parts if it gets deeper in the projects, such as "contributor.md" file. |
Our legal terms overview (so that you don't even have to read the full terms, just 4 bullet points) says: “Your name and e-mail address is used in VCS commits, it will stay there indefinitely.” Term of service state: “The User agrees to use of name and e-mail as authorship in the VCS commits. The User understands that this grant is non-revocable due to the nature of the VCS.”
As mentioned before, this is not really feasible. Even if GitHub would do that for a single repository (what would be a breaking change for anybody who has cloned that repository), the e-mails would be still around in repositories cloned before. I'm pretty sure there are thousands of services having clones of public Git repos at GitHub. Sorry, but there is really no way back once something has been published on the internet. |
|
This issue has been automatically marked as stale because there wasn’t any recent activity. It will be closed soon if no further action occurs. Thank you for your contributions! |
Describe the issue
I have received spam mails. The email stated that they saw my GitHub profile. This email address of mine is used for Weblate, not GitHub. I used a dedicated email address. Spam is probably being sent to email addresses that Weblate has embedded in GitHub in the past.
Spam mail
Title: Github + Combinatronics
Body: Hello Github user,
We recently came across your GitHub profile and found ourselves impressed by the work you are doing.
We would love to help you expand your business with our Content Delivery Network offering.
With our CDN, we love to help you create a website with a performance as spectacular as everything else you do.
Are you ready to take your website to the next level?
The Combinatronics team
[Website address]
I already tried
Steps to reproduce the behavior
Expected behavior
No spam will be sent to the dedicated Weblate address.
Screenshots
No response
The text was updated successfully, but these errors were encountered: