1

that means others may push to my git repos which are hosted on github, so can anybody use

git reset --hard first-commit-id
git push

  1. will this destroy my git repos hosted on github?

  2. will i lost of my history, if some bad guy run the above command?

this issue is not the same as how do I remove my public key from github?

Community
  • 1
  • 1
hugemeow
  • 7,777
  • 13
  • 50
  • 63

3 Answers3

2

I don't think just by resetting and issuing git push you will delete anything. However, there are other commands, such as git push -f that can delete or mangle your whole history, so I would say your worry is valid.

This thread is about the configuration how you can prevent destroying the history, but like explained in another thread, that option is not available for configuring in github.

So, if you allow everyone to push to your github repo, I think you have a valid reason to be concerned.

Edit: it should be noted though that this answer is valid only if others truly have access. By adding public key you generally don't give anyone access, even though they'd own the same public key - for someone to push, they'd need to own the private key, not the public one.

Community
  • 1
  • 1
eis
  • 51,991
  • 13
  • 150
  • 199
  • sometimes i may have to work on public pcs, so i have to add that key to my github account, if i forget to delete it from my github account, some one may have privilege to push to my repo, what i am affriad is that some bad guy may destroy my repos:( – hugemeow Sep 27 '12 at 18:27
  • @hugemeow usually you'd need the private key, probably secured with a strong passphrase? – moooeeeep Sep 27 '12 at 18:34
  • @hugemeow ok. I would say it's valid concern, but with adding a password to your ssh key, you would decrease the possibility by quite much. Use a hard one, preferrably computer-generated. – eis Sep 27 '12 at 18:35
  • @moooeeeep I understand hugemeow is referring to a case where he is generating public/private keypair on a public computer and forgetting the private key there (in which case the pass would help), or using the computers existing private/public keypair that can't be altered (in this case even adding a pass would not be an option) – eis Sep 27 '12 at 18:37
  • 1
    see [this FAQ](http://world.std.com/~reinhold/dicewarefaq.html) on passphrases strengths – moooeeeep Sep 27 '12 at 19:07
1

1) If some guys will use git push -f then yes, you could lost your commits in repo. In this case you could create your own private key with passphrase (in case of passphrase using you could run ssh-agent for skip enter passphrase during every push or pull)

2) git reset, this just move HEAD ref to firs commit and nothing more, you can fix it using git reflog for example.

D.Y.
  • 68
  • 6
  • if my keys are created with passphrase, then i should input that password every time i push to git repo, right? – hugemeow Sep 28 '12 at 04:37
  • nope, for this purposes you might use ssh-agent. if you use git bash (linux/windows)then read this doc https://help.github.com/articles/working-with-ssh-key-passphrases. And when you using (in windows) e.g. TortoiseGit then you should start ssh-agent.exe which you may find in folder with putty.exe – D.Y. Sep 28 '12 at 08:12
0

As a distributed VCS, you will have a personal local repo which is as secure as you make your machine.

The fact that the repo at Github has been given full public write access is a choice so shouldn't be seen as a security issue, rather it's an enabler for collaboration, which has a minor side risk of a non-collaborator trying to spoil things.

The key point is that you would still have a secure full personal copy of the repo so can continue to operate and collaborate. And restore the github copy after its defacement.

Philip Oakley
  • 13,333
  • 9
  • 48
  • 71