Very basic git question:
I uploaded some compromising information to Github and am using bfg to clean the repo. I followed the documentation and performed the following actions:
$ git clone --mirror git://example.com/some-big-repo.git
$ bfg --replace-text passwords.txt my-repo.git
Found 233 objects to protect
Found 9 commit-pointing refs : HEAD, refs/heads/experimental, refs/heads/master, ...
These are your protected commits, and so their contents will NOT be altered:
* commit 497fc1c8 (protected by 'HEAD')
Found 80 commits
Cleaning commits: 100% (80/80)
Cleaning commits completed in 301 ms.
BFG aborting: No refs to update - no dirty commits found??
A quick way to check if a password is still in your history might be to use the 'git pickaxe', aka the
-S option. Here's an example that checks for the string
git log -Spassword1
However, from the output shown in your question, it looks like The BFG couldn't find any of the entries from
passwords.txt in your repo (prompting the messsage 'no dirty commits found??' which you see at the end of the output), which is a bit strange if you're sure they're in there. Was this the first time you'd run the BFG on the repo? Perhaps it was the second time, and The BFG had already removed the passwords?
passwords.txt file you give to The BFG should have one password per line, ie:
changeme password1 password2
The BFG only looks at text files under 1MB by default. Are your passwords in some file that might appear to be binary, or bigger than 1MB?
Update: For seeing what's changed in a repo-clean-up, you could also try Eric S. Raymond's
repodiffer (part of his reposurgeon project): http://www.catb.org/~esr/reposurgeon/repodiffer.html - you use it like this:
$ repodiffer old-repo-copy.git new-repo-copy.git
The script may take a while to run, but it will tell you precisely what has changed between those two repos.
Full disclosure: I'm the author of the BFG Repo-Cleaner.