Re: Wildcards in mailmap to hide transgender people's deadnames

["Ævar Arnfjörð Bjarmason" <avarab@gmail.com>]

On Mon, Sep 19 2022, brian m. carlson wrote:

> [[PGP Signed Part:Undecided]]
> On 2022-09-19 at 11:20:13, Ævar Arnfjörð Bjarmason wrote:
>> I.e. I think a "deadname" use-case of this would probably:
>> 
>> * Have some comment at the top of .mailmap about why some values are
>>   over-encoded (or perhaps it would be obvious to everyone working on
>>   that repo why someone was encoding the "plain ASCII" A-Za-z0-9 space).
>
> I don't think we need to do this.  First of all, it makes people curious
> and nosy, and it draws attention to the situation when in many cases,
> other contributors might not even notice as they're updating the
> mailmap.  

Sure, to clarify I meant this is something that a downstream project
using the .mailmap might want to add, or they might now.

> Adding lots of attention is going to add the potential for
> harassment.

I'm in no way minimizing that potential for harassment, doxxing etc., in
fact I'm vehemently agreeing whith that point. But I think this gets to
the crux of our disagreement.

I think it would be irresponsible of us to provide a feature that looks
as though it can in any way mitigate those concerns.

If you're someone that's worried about being harassed if someone makes
the link from your previous identity Y to your current identity X where
you already have Y as part of a public git history. The right answer is
to not submit a change to the .mailmap to explicitly connect the two.

>> But should not:
>> 
>> * Assume that other tools such as "fsck", "check-mailmap" or even "log"
>>   won't have future features that make de-obscuring these values easier,
>>   or something that's part of a normal workflow.
>
> Your statement that you intended to write exactly such a feature was the
> main reason I dropped the SHA-256 hashed mailmap series.  I don't think
> it's constructive to offer or propose to offer such a feature in Git if
> we're trying to obscure people's names in the mailmap, and as such I
> would want to see a guarantee that we wouldn't implement or accept such
> a feature.  I don't see the point of obscuring names in the mailmap if
> we're just going to print them next to each other in the future, and I
> don't think it's moving us towards a solution to suggest that we might
> do that in the future.

I haven't gone back and re-read that whole thread, but I think I was
mainly pointing out that we or someone else can and probably will write
the trivial reverse mapping.

Hence my point above, even if we carefully scrutinize every change to
git.git to ensure that we never implement a feature that de-hashes the
hashes you proposed all it'll take to defeat the entire mechanism is
something trivial like:

	diff -u <(git log) <(git log --no-mailmap)

> I'm happy to resurrect my SHA-256 hashed mailmap series if we're
> all willing to agree to not implement trivial decoding features.

I'd think you'd want to be really clear about what that forward promise
would entail. E.g. I've sometimes wanted a way for "git log" to report
when it munges commits due to adding notes, re-encoding the data etc. If
someone submits that sort of feature should it always explicitly leave
out mailmap-related rewrites?

And even if it does, who do we think we're really helping in the end,
given the trivial way you could get that with an external "diff" with
the one-liner above?

> I also have an alternate proposal which I pitched to some folks at Git
> Merge and which I just finished writing up that basically moves personal
> names and emails out of commits, replacing them with opaque identifiers,
> and using a constantly squashed mailmap commit in a special ref to store
> the mapping.  This doesn't address changing identities in existing
> commits, which as we've seen are nearly impossible to fix, but it does
> address new ones.  I've sent it out at
> https://lore.kernel.org/git/20220919145231.48245-1-sandals@crustytoothpaste.net/.

As I understand the difference in this scenario a hypothetical future
repo's Y commit's authorship would have been opaque in the first place
using this mechanism, and via your "refs/mailmap" you'd have mapped
Y=Bob.

You then make a future X commit, and map X=Alice, and have a .mailmap
entry which mapped Y=X, but that entry would refer to the opaque value.

That certainly changes things in a fundamental way, and goes most or all
of the way to mitigating what I've been pointing out as a flaw in these
proposals.

I'd still be very much on the fence about whether we'd ever want to
recommend that to someone concerned with "harassment" and the like (as
opposed to a milder social preference), as all it would take to get to
that point is someone having a copy of the older "refs/mailmap" to
unmask the previous "Y".