tags:

views:

24

answers:

1
+1  Q: 

How can I remove a file from git using filter-branch making it so I cannot still git grep the contents?

Hi,

I've been trying really hard to remove a file with sensitive data from my git repository using this excellent page (among others): http://help.github.com/removing-sensitive-data/

the primary line being: 

git filter-branch --index-filter 'git rm --cached \
    --ignore-unmatch FileWithSecrets.java' HEAD

However even when I follow the instructions including the pruning and garbage collection of objects the fact that I've rewritten the history does not seem to remove the file completely.

The point being I can still find the file's contents using git grep: git grep $(git rev-list --all)

....and it still shows up.

Am I missing something obvious or non-obvious? Why can I still "git grep" the contents?

I do see that the file is no longer in the changeset when I do a "git show" of the commit where it got added. But even so I can still grep it - like it's been removed from the branch history but is still floating out there?

Git is fun, cool and amazing but really can shake one's self confidence :)

thanks!! Brendan

+1  A: 

I didn't try this, but since the last argument to git filter-branch is defined as [--] [<rev-list options>...] and you're getting the sensitive info from the revs in git rev-list --all, this should work:

git filter-branch --index-filter 'git rm --cached \
--ignore-unmatch FileWithSecrets.java' -- --all
                                       ^^^^^^^^
al  2010-08-31 08:01:33
Yup, providing HEAD as the argument as the OP did means that only HEAD is rewritten - not even the branch HEAD is pointing to!
Jefromi  2010-08-31 12:59:33
Thanks so much for the answers - pointing out both the HEAD mistake and the --all argument. I did try the new command+cleanup and it still did not remove the file from "git grep" results.I'm wondering if the problem might have something to do with the fact that I have tagged several commits with "git tag" and those are being treated as separate branches. I tried checking each of these out individually and running the above filter-branch, but I can still grep the 'secret string'.I did try seeing if I could reproduce with a simple repo, but the commands work.
Brendan  2010-09-02 15:25:36
Your annotated tags should also get rewritten with the --all argument.Did you run the cleanup steps mentioned in the github instructions you linked? `$ rm -rf .git/refs/original/` `$ git reflog expire --all` `$ git gc --aggressive --prune`
al  2010-09-02 21:19:19

related questions

Managed Source Control Hosting and Continuous Integration with CVSDude and CruiseControl.net
What is the best way to handle files for a small office?
The theory (and terminology) behind Source Control
Setting up Subversion on Windows as a service
Configuring VisualSVN Server to use _svn instead of .svn
Finding untracked files in a Perforce tree
Learning Version Control, and learning it well
Common Types of Subversion Hooks
Source control for web projects.
How do you deal with configuration files in source control?
Undoing a git reset --hard HEAD~1
Database Version Control
Version control PHP Web Project
DVCS Choices - What's good for Windows?
What is a good Mercurial usage pattern for this setup?
Experience with SVN vs. Team Foundation Server?
What is the difference between all the different types of version control?
Version Control. Getting started...
How do I create a branch in SVN?
Federated (Synced) Subversion servers?
Different Distributed Version Control Systems working together
What are the advantages of using SVN over CVS?
Is there a version control system for database structure changes?
Distributed source control options
How do I version my MS SQL database in SVN?