0

I have a basic question regarding the integrity of git.

When you remove/delete/reset a git commit which had some form of confidential information in it before, does it really! permanently, delete that committed code entirely from existence so that it cannot be restored or visible to anyone under any circumstances. To even the owners of the repositories.

P.S. My question is not regarding the ways to remove a git commit and its history.

Thinker-101
  • 554
  • 5
  • 19
  • 5
    In general: no, it doesn't. If that commit only ever existed locally you can use [`git gc`](https://git-scm.com/docs/git-gc) to clean up your local repo, but if you ever pushed that commit to a remote it will *not* be deleted there, even if it subsequently becomes unreachable from any branch, until and unless the administrator runs `gc` on that remote. – jonrsharpe Jan 18 '21 at 15:45
  • See e.g. the big red box on https://docs.github.com/en/github/authenticating-to-github/removing-sensitive-data-from-a-repository – jonrsharpe Jan 18 '21 at 17:05

1 Answers1

1

Well, you say you don't want to discuss methods of deleting a commit, but until we know what procedure you think of when you say "removing a Git Commit and its history", we can't really know how thoroughly your procedure would remove the data.

There are some general things we can say, however.

First, git's purpose is to preserve history. Once a piece of information is committed, git will not casually discard it because it doesn't want to lose something you might later say you want back. So even with just a single local repo, you have to know all of the ways git tracks a piece of information (various types of ref plus the reflog, roughly) before you can talk about removing that information from teh repo.

(The comment discussion on your question mentions gc; be aware that what it says is incomplete, and if you're in a situation that requires the use of gc then you should refer to the documentation to understand what it does and does not do.)

But bottom line, you generally control information you haven't pushed, because at worst you could just delete the local repo and re-clone. This might cost you other work that hasn't been pushed, but at least it's an option.

Once you push to a shared repo, the situation is much more complex. The ability to truly clean data from the remote depends on how the remote is hosted; but when we're talking about confidential data that's moot.

The instant you push a piece of info to the remote, someone else can fetch it. Generally you can't tell if/when they do; and once they have, there is nothing you can ever do to make them delete it. If you push confidential information to a shared remote, the genie is out of the bottle.

(One specific example that may or may not have anything to do with your situation, but is common enough to warrant a call-out: if you push a password or other login credential, that credential is compromised and must be immediately changed.)

Mark Adelsberger
  • 42,148
  • 4
  • 35
  • 52