Menu
Asking for a friend.
Scenario
Confidential information has been pushed to a public github repository by accident. As soon as the commiter noticed the failure he decided to override git history with push -f to remove the information from the web.
Problem
The confidential information is still accessible via git reflog at github. So the staff at github is still able to access the information.
Even worse, if the commiter has put a reference in the initial commit message, e.g. referencing an issue using the #-sign, github would automatically put a link to the commit into that issue. In this case the overridden information is still accessible via the github frontend.
Question
248
As long as plain Git is concerned, no it is not possible.
But on the other hand, "remote" repositories — those everyone pushes to and fetches from — are "bare", and bare repositories are initialized with reflog disabled by default.
As to Github, this is completely another story as they do not serve the repositories using "plain" Git, and consequently server-side management of the repositories is really outside of Git realm — please see what the Github docu says:
'Once you have pushed a commit to GitHub, you should consider any data it contains to be compromised.'
1) re-write the history using any of the available tools;
2) Force-push the result to overwrite what's already there.
3) Contact Github for further assistance. If that happened at your $dayjob, this should be an official contact. Before doing that, whoever is to contact Github should read their "terms and conditions". When contacting, one should politely ask about what possible repercussions are, and whether it's possible to prevent possible spreading of the compromised information using ways other than fetching from the repo (which was already fixed). I mean, say, repo replicas or backups or whatnot internal to Github
162
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
