Git Rev News: Edition 102 (August 31st, 2023)

Welcome to the 102nd edition of Git Rev News, a digest of all things Git. For our goals, the archives, the way we work, and how to contribute or to subscribe, see the Git Rev News page on git.github.io.

This edition covers what happened during the months of July 2023 and August 2023.

Discussions

Support

• Git Privacy

  Nick, alias Nicholas Johnson, asked on the Git mailing list if it would be possible to implement an integrated feature in Git, perhaps a config option, to obfuscate the committer and author timestamps that are stored in commits when they are created.

  Nick is the creator of Git Privacy which is a repository containing instructions in a README.md file that already helps developers obfuscate Git timestamps, and also explains why it can be a good idea to do so.

  The instructions suggest setting the GIT_AUTHOR_DATE and GIT_COMMITTER_DATE environment variables when committing, so that the timestamps in these variables are recorded instead of the current date, time and timezone.

  Nick thought that using such environment variables or other not fully integrated mechanisms like Git hooks was too cumbersome and asked for ideas or feedback about how to improve the situation.

  Junio Hamano, the Git maintainer, replied to Nick, saying that his opinion was that it might not be worth implementing an integrated feature, as using such a feature removed “half the value of keeping your work in [a] source code management system”. Especially it would make it harder to refute possible claims that the source code contained stolen proprietary IP (Intellectual Property).

  Nick replied that he conceded it might not be worth it to implement his original suggestion. He said that having Git automatically converting local time to UTC in the timestamps it records could still be useful to avoid leaking the developer’s time zone. He pointed to a Gerrit issue about this.

  Junio replied that he still thought it wasn’t worth the effort as there was not enough reason to go against Git’s initial design to store the timezone.

  Nick replied to Junio saying that storing the timezone revealed private information about developers without much gain, and that a config option could let users decide about doing this or not.

  This led to a separate sub-thread where Nick and Jason Pyeron started to design a --privacy=option1,option2 with corresponding config variables to change the timezone, specify a date precision, etc. brian m. carlson said he would support timezone and timestamp tweeking options and made some technical suggestions too.

  René Scharfe chimed in on the main thread saying that “timezone and timestamps are personal data, which may only be collected and processed for a lawful purpose according to the GDPR”, referring to the European Union’s General Data Protection Regulation. So he thought that the user should be able to control if that data should be stored or not, and it was a usability issue if he could not easily do that. He also noticed that git commit already has a --date=<date> option to change the author date and a --signoff option for adding Signed-off-by: Author Name <author@example.com> trailers. He concluded by saying “adding config options for controlling timestamp granularity is hard to say no to”.

  Nick replied that he was asking for this feature for moral reasons not for legal ones. He took the example of the I2P project which is a layer on top of Internet to protect people’s activity and location, saying that most developers of the project don’t want their timezones leaked as they are known only under pseudonyms.

  Junio replied to René saying that the --date=<date> option had good reasons to exist. For example, the committer might be relaying somebody else’s changes, or a system clock might have an issue. He also thought that the existing two environment variables are the right place to draw the line, as Git developers shouldn’t be pretending to be security engineers and invent their own time obfuscating mechanisms.

  In another email, Junio explained in more detail why it’s more important to be able to tweak the author timestamp than the committer timestamp. He also repeated that two environment variables were a good place for other security minded people to build on a quality “privacy enhancing date command” that could also be used outside the Git context.

  Junio replied to himself saying that a “–useless-time” option, or a “core.uselesstime” configuration variable to make timestamps only use UTC and be otherwise nearly meaningless could be OK though, as they wouldn’t have “privacy” in their name and wouldn’t pretend to be a quality privacy feature. He laid out how such a feature could work, and noticed that features like git log --since=... wouldn’t then be expected to properly work.

  Nick agreed that such a feature shouldn’t use “privacy” in its name, and said that Junio’s proposed feature would satisfy the privacy use case he was interested in, and that he didn’t want more than that.

  Theodore Ts’o then chimed in to point out that “someone still might be able to figure out information from when a branch gets pushed to a git repo”. He mentioned that for example GitHub, GitHub actions and integration systems could also leak information about when users are active.

  Nick replied to Ted saying that protecting privacy had to start somewhere, even if not all the tools were already doing it.

  Future will tell if someone will actually implement something along the lines that have been discussed, and whether it will be a “privacy enhancing date command” usable outside the Git context, or an option integrated into Git.

Developer Spotlight: Calvin Wan

• Who are you and what do you do?

  My name is Calvin Wan and I’m a Software Engineer on the Git Core team at Google.

  I also enjoy playing poker, volleyball, and ping pong. I play the World Series of Poker Main Event every year and one of these years I’m hoping to make the final table 😄

• What would you name your most important contribution to Git?

  I’m hoping my in-flight series for a Git Standard Library will become my most important contribution to Git…at least for now 😄

• What are you doing on the Git project these days, and why?

  Currently working on getting Git Standard Library merged – to summarize it will serve as the foundation for other libraries in Git to be built off of. When we first embarked on this journey towards libification, we had many reasons for doing so, most of which Emily captured in the initial proposal.

• If you could remove something from Git without worrying about backwards compatibility, what would it be?

  Old style submodules. Submodule development is already difficult to work on, and having extra bits and pieces in the codebase that exist for the sole purpose of not breaking old style submodules added an extra layer of complexity I wish I didn’t have to reason about.

• Do you happen to have any memorable experience w.r.t. contributing to the Git project? If yes, could you share it with us?

  Attending Git Merge 2022! I enjoyed meeting the people I had been interacting with on list – putting a face to the name was particularly exciting. I also enjoyed the discussions at the Contributor Summit and the talks that followed.

• What is your toolbox for interacting with the mailing list and for development of Git?

  I develop using VSCode and send my patches with git format-patch and git send-email. For patches upstream, I use b4 am + git am to test locally. When I reply to patches I use a script I modified from Jonathan Tan to set up the replies for git send-email. For simple replies and emails, I use Gmail’s plaintext mode.

• What is your advice for people who want to start Git development? Where and how should they start?

  I think there are plenty of good resources out there that others have probably mentioned before (Pro Git book, MyFirstContribution, git-mentoring list), but the one suggestion I would have is spend less time worrying about getting the right setup and spend more time getting your patches to list!

Other News

Various

• Highlights from Git 2.42 by Taylor Blau on GitHub Blog. Those include faster object traversals with reachability bitmaps, excluding references by pattern in git for-each-ref, preserving precious objects from garbage collection via gc.recentObjectsHook, and other changes.
• Git 2.42 Released With Less Warnings For SHA-256 Usage by Michael Larabel on Phoronix.
• GitLab Gitaly project now supports the SHA-256 hashing algorithm by John Cai on GitLab Blog.
  • Gitaly is an RPC interface to Git used by GitLab, first mentioned in Git Rev News Edition #24.
• Sourceware 25 Roadmap: roadmap for the next 25 years on [almost] the 25th anniversary (Sourceware came online on 6 September 1998).
  • Sourceware service was first mentioned in Git Rev News Edition #88.
• Lazygit Turns 5: Musings on Git, TUIs, and Open Source by Jesse Duffield on his Pursuit Of Laziness blog.
  • lazygit is a simple [windowed] terminal UI for Git, written in Go. It was first mentioned in Git Rev News Edition #42; you can find links to other articles about this tool in Edition #61 and #81.

Light reading

• 7 Git Mistakes a Developer Should Avoid by Bruno Brito on Tower Blog, describing why some habits – committing unrelated changes together, writing bad commit messages, not using .gitignore, leaving outdated merged-in branches, using force push in a shared repository, storing API keys and other secrets in a repository, and storing large binary files – cause problems, and how to prevent them (often how to do it with the help of the Tower Git client).
• Simplified: 8 Guidelines for Commit Message by Tito (titusnjuguna) on DEV.to.
• Security in Code Reviews: Ensuring Secure and Robust Software Development by Jatin Sharma for Documatic, lists some common security vulnerabilities, presents a few examples of real-world incidents, and explains how to incorporate security into the code review process (and what the challenges are).
• One Git Trick for Perfect Commits by Raman Nikitsenka (0ro) on his blog (and also on DEV.to). The trick to avoid “fix: …” commits littering history is to use git commit --fixup and git rebase --interactive --autosquash (before submitting changes).
• Git Config Articles: Pragmatic Suggestions for Customizing Your Git Setup from Karl Stolley by Margaret Eldridge in The Pragmatic Programmers on Medium. It is a list of Git Config articles written by Karl Stolley for The Pragmatic Programmers.
• Simplify Your Workflow 📈: A Guide to Standardizing Commit Messages with Husky 🐶 in Monorepos 📦 by Muhammad Harith Zainudin on DEV.to.
  • Husky, a Git hook management tool, was first mentioned in Git Rev News Edition #63; you can find links to other articles talking about it in #87 and #89.
  • The idea of Monorepos (using a single repository for the whole codebase) was first mentioned in Git Rev News Edition #4. You can find links to articles advocating for and against monorepos in Git Rev News Edition #47, and a list of pros and cons of monorepos in Edition #81. Monorepo.tools is a place where you can find information about monorepos and tools for handling them (this site was first mentioned in Git Rev News Edition #84).
• You won’t believe how much time you will save with this Git pre-push hook by Ivan Morgillo on his blog, about integrating Git hooks with static code analysis tools, such as Detekt (a static code analyzer for Kotlin), for Android projects.
• Git advanced (text) diff: .odt, .pdf, .doc, .xls, .ppt by Maxime Bréhin on Medium (2016) describes how to configure textconv gitattribute for those files.
• IAMbic: Bridging the Gap Between IAM (Identity and Access Management) Changes and Version Control by Curtis Castrapel on Noq company blog. IAMbic detects IAM changes, whether you’re using Terraform, Cloudformation, or directly making changes via the AWS Management Console, and creates Git commits to represent the exact state of your IAM in a Git repository.
• Delta: A new git diff tool to rock your productivity by Axel Navarro for Cloud(x); on DEV.to (posted on 16 Jul 2020, updated on 22 May 2022).
  • Delta, a syntax-highlighting pager for git, diff, and grep output, was first mentioned in Git Rev News Edition #86.
• Git Files Hidden In Plain Sight 🫥 by Tyler Cipriani on his blog, about some wonderful bad ideas, like storing data in a repository in a way that GitHub thinks it is empty.

Easy watching

• Git Hidden Gems - Enrico Campidoglio - NDC Oslo 2023 (length: 59:11).
  Talks about 04:15 pretty logs, 08:23 pretty diffs, 10:24 staging, 18:57 searching, 22:27 automation, 28:48 dot notation, 33:20 rebase onto, 38:24 reflog, and 45:44 rerere.
• Pijul: Version-Control Post-Git • Pierre-Étienne Meunier • GOTO 2023: the presentation recorded at GOTO Aarhus 2023 (length: 50:10).
  Pijul was first mentioned in Git Rev News Edition #9.

Git tools and sites

• Git Tag Ops by Iterative.AI turns your Git repository into an Artifact Registry. Together with DVC (Data Version Control), GTO serves as a backbone for Git-based Iterative Studio Model Registry. GTO works by creating annotated Git tags in a standard format. Written in Python.
  • DVC and GitOps were first mentioned in Git Rev News Edition #42.
• Turtle is a graphical interface for version control intended to run on GNOME and the Nautilus file manager. Written in Python using GTK4 and libadwaita for the GUI, and pygit2 for interacting with Git, with Nautilus plugin support.
  • See TortoiseGit, Windows Shell interface to Git, providing overlay icons showing the file status, and a powerful context menu for Git in a file manager. Tracked since Git Rev News Edition #57.
  • Turtles, tortoises, and terrapins are common names used for animals from a taxonomical order of reptiles named Testudines.
• Commit is a command palette-style Git client for blazing-fast commits. You open it with a keyboard shortcut, write your commit, and Commit will automatically detect which repo you’ve been working on. Written using the Tauri toolkit in TypeScript and Node.js for UI, and Rust for the backend. Inspired by TailwindUI’s Commit template.
• GitButler (currently in alpha phase) is intended to be a Source Code Management system designed to manage your branches, record and backup your work, be your Git client, help with your code, etc.; focusing on everything after writing code in your editor and before sharing it on GitHub.
• GQL (Git Query Language) is a query language with a syntax very similar to SQL, with a tiny engine to perform queries on Git repositories on the fly without the need to create database files or convert .git files into any other format. Written in Rust.
  • Gitana, first mentioned in Git Rev News Edition #7, exports the data contained in one or more Git repositories to a relational database, relying on an incremental propagation mechanism that refreshes the database content with the latest modifications in Git repositories. Gitana has been archived in September 2022 and is not maintained anymore. Written in Python.
  • gitbase, first mentioned in Git Rev News Edition #48, is a SQL database interface to Git repositories (on the fly), implementing the MySQL wire protocol. It can be used to perform SQL queries about the Git history and about the Universal AST (Abstract Syntax Tree) of the code itself. Was a part of now defunct source{d} Community Edition, still in alpha phase. Written in Go.
  • MergeStat (demo) enables SQL queries for data in Git repositories (and related sources, such as the GitHub API). It allows you to ask questions about the history and contents of your source code. Written in TypeScript, can use Docker Compose to run locally.
    mergestat-lite is a command-line version of the tool, which runs SQL queries against local git repositories. Written in Go.
    MergeStat was included in “SQL for querying Git repos” tools list in Git Rev News Edition #82.
  • World of Code is an infrastructure for study of software supply chains, utilizing Tokyo Cabinet, custom binary storage, MongoDB, and Clickhouse to store data, and which provides shell API and (limited) Python API for querying data from 173 million Git repositories on their infrastructure. Described in an article on arXiv from 2020.
• git-com by masukomi is an interactive CLI tool to help you create commit messages that are not only readable, but follow a standardized format. Described in this Mastodon thread. Written in Bash.
• git-identity (in Go) and GitID (in TypeScript, uses Node.js) are both tools that provide a convenient command-line interface to manage and switch between multiple identities on a single user account.

Releases

• Git 2.42.0, 2.42.0-rc2, 2.42.0-rc1, 2.42.0-rc0
• Git for Windows 2.42.0(1), 2.42.0-rc2(1), 2.42.0-rc1(1), 2.42.0-rc0(1)
• libgit2 1.7.1
• Bitbucket Server 8.13
• GitHub Enterprise 3.9.4, 3.8.9, 3.7.16, 3.6.18, 3.9.3, 3.8.8, 3.7.15, 3.6.17, 3.10.0
• GitLab 16.3 16.2.4, 16.1.4, 16.2.3, 16.2.2, 16.1.3, and 16.0.8
• GitKraken 9.7.1, 9.7.0, 9.6.1
• GitHub Desktop 3.2.9, 3.2.8
• git-credential-azure 0.2.2, 0.2.1, 0.2.0, 0.1.0
• git-credential-oauth 0.10.0

Credits

This edition of Git Rev News was curated by Christian Couder <christian.couder@gmail.com>, Jakub Narębski <jnareb@gmail.com>, Markus Jansen <mja@jansen-preisler.de> and Kaartic Sivaraam <kaartic.sivaraam@gmail.com> with help from Calvin Wan and Štěpán Němec.