commits done to private repose being public (point 2&3) is always a non minor security vulnerability IMHO
it doesn't matter if it's behaving as intended or how there are forks
also point 1 implies that github likely doesn't properly GCes there git which could have all kinds of problematic implications beyond the point 1 wrt. purging accidental leaked secrets or PI....
all in all it just shows github might not take privacy security serious ... which is kinda hilarious given that private repo using customers tend to be the paying customers
You’re right that they don’t let commits get GC. They jump through hoops in order to keep commits that are not transitively referenced from being garbage collected. Just assume that every commit is kept around for “auditing”.
One GitHub employee even contributed a configuration to Git which allows you to do the same thing: run a program or feed a file which tells the GC what nodes to not traverse.
it doesn't matter if it's behaving as intended or how there are forks
also point 1 implies that github likely doesn't properly GCes there git which could have all kinds of problematic implications beyond the point 1 wrt. purging accidental leaked secrets or PI....
all in all it just shows github might not take privacy security serious ... which is kinda hilarious given that private repo using customers tend to be the paying customers