FYI: Data from deleted GitHub repos may not actually be deleted

Re: Yes and no

> The commit is to a *public* upstream, not a private repo.

That seems to be the issue tho - Joe W's example is that the deleted commit *is* in the private repo, but it's still accessible from the forked parent. (TBH that scenario brings up the possibility of a "private" fork effectively being public, depending on how that link back to the parent is set up, but as I read it the issue is only with deleted [or "deleted"] entities.)

Re: Yes and no

> Also - as far as I can see it's not actually possible to create private native GitHub forks of public repos in GitHub

The example they cite is when you have a private repo that will eventually become public, fork it to make permanently-private fork and then later make the original repo public. Anything commited to the still-private repo up until the point the first repo is made public, can be accessed from the now-public repo. (As long as you know the commit hashes, that is - but unfortunately they're easily discoverable.)

Re: Yes and no

The one case they talk about where the contents of private repos become publicly viewable is when a formerly-private repo with a private fork is made public.

In that case, any commits made to the still-private fork up until the time the parent repo became public are accessible from the public repo. That runs counter to users' expectations.

(Any commits made to the private repo *after* the parent one has gone public will remain private, however.)

The issue is that people are mentally modelling forks as "that's my copy of the repo, completely separate from the original" whereas in reality the fork is just a different interface to the same pool of blobs. Furthermore, while you wouldn't be able to access commits from another fork in the same pool of blobs unless you know the commit hash, github makes those commit hashes discoverable.

Re: Yes and no

Im ignorant of how this all works first off.

But would rotating the keys actually do anything as the old data is still there?

Re: hard disks

Dangling commits are just references to existing data, so all that's being created is metadata. My guess is that only a tiny fraction of the actual data that's committed to GitHub is ever "deleted" anyway, so the overhead of not actually ever deleting any data is proportionally tiny.

Any decent change-management system, including git, is mostly storing deltas, so in effect it's de-duplicating within a repository. If GitHub has de-duplication technology running across repositories (for all the cases where someone copies a file from repo X to repo Y, or commits a bunch of standard headers or boilerplate code or whatever), then they potentially save on a huge amount of storage there too. And most of what's on GitHub is source code, which compresses well.

Sure, GitHub needs a lot of storage by some measures, but compared to other giant applications hosted by Microsoft (e.g. Bing) or other firms, it's really not very big at all.

Re: "this is expected and documented behavior inherent to how fork networks work"

There are plenty of people who use git without knowing how it works. We use it to store teaching materials, and although all of us are quite bright and also have all the training required to understand git in intimate detail, most of us can't be bothered. I know "git pull", "git add", and "git commit", which is all I need to get on with my actual job of teaching the students. In previous years, we even used it to collect student exercises, though thankfully that's gone, and I guarantee less than 10% of the students had any idea of what was going on. Git is used by inexpert git-users any time somebody in position of either power or enthuisiasm decides to use git for a project/job.

Re: "this is expected and documented behavior inherent to how fork networks work"

I don't know how many people this applies to, but there are many who don't know much about Git and use it anyway. When someone first picks up the tool, it looks pretty easy. You add a file, you commit the changes, you push. The code goes up. When someone else has made changes, you pull. Great, I understand Git.

They think that right up until their first merge conflict. Oh, I can't just push while someone else might be doing the same thing. So they learn branches. I push to my branch, you push to your branch, then we merge them. Great, I understand Git.

They think that until they need to get code back. How do I find the code after someone's merged over it? None of my commands do that. So they learn some other ones that work with the history, and they learn some blunt tools for returning to the head. Great, I understand Git.

They think that until a branch merge conflict. Okay, it's time to learn rebase, and rebase isn't a simple command. But they read about it and do some experiments, but now, they know they don't understand Git, at least not fully.

I can't say I do either. I have a relatively good understanding of some of the internals. I know enough to know that you can't simply delete a commit and expect it to become invisible. I can describe some of the internal structures accurately, and I can sound confident when I do it as long as people only ask about the ones I've actually looked at. But since I have not written code inside Git, nor have I memorized every manual page in it, I do not know everything there is to know about Git. Nor am I the least knowledgeable person on my team. We know enough about Git that we get what we need and don't break things. That doesn't make us experts. And we're professional users. There are lots of beginners who know less because they've used it less.