[scrollaway]

Seems like a shaky justification. I understand not offering things that are up for deletion but there wasn't even a way to do git pull --i-really-want-everything or some such.

If you push passwords and keys to your git server, then force-push those things out, you most definitey want to run a gc. Git is a flimsy security layer around this.

[avar]

Of course you can't run "git pull --i-really-want-everything", you're the remote attacker this feature is meant to protect against!

The use-case for this is that you're pushing to some shared hosting like GitHub where you can overwrite and delete refs, but you can't force a gc.

You don't want someone to scour your Git commit announcements and see "oops, deleted password!" and go and fetch the deleted SHA1.

[phs2501]

Well if you don't have enough access to the remote machine to locally get the objects or run "git branch oops <sha1>", you probably also don't have access to run a gc to prune the objects. In that case the "permissive" alternative would mean that you could not remove access to the objects at all once they'd been pushed. Given that, I can see the justification for the behavior they chose.