1

Recently one of my team mate has done force push in git (remote repo on stash) and we lost most of our old commit history and I surprised to know we couldn't identify who did it.

I have googled it but couldn't get any satisfactory answer. Anyone here can help?

Zeta
  • 103,620
  • 13
  • 194
  • 236
Jimit Joshi
  • 435
  • 1
  • 4
  • 10
  • `git stash` and `git push -f` are two very different things. What are you asking? – J. Titus Apr 22 '16 at 13:20
  • How do you manage access to the git repository? SSH? Then have a look at the SSH access log. External services usually provide some kind of audit. If you use an internal service, make sure to have some backups available. – Zeta Apr 22 '16 at 13:20
  • I am talking about git push -f. We are using https://stash for our project to maintain remote git repo. – Jimit Joshi Apr 22 '16 at 13:21
  • @Zeta: We are managing git repo on stash through SSH I guess. It is managed by client so I don't have any visibility of logs. Where to look for the logs. – Jimit Joshi Apr 22 '16 at 13:26
  • @JimitJoshi: That's a ___local___ address. Maybe youre using [Bitbucket Server](https://www.atlassian.com/software/bitbucket/server) (previously called "stash")? – Zeta Apr 22 '16 at 13:41
  • Git has no access management built into, so there is nothing that restricts access, and as such nothing that logs who does what. It’s entirely the tool in the front that does this (in your case Atlassian’s Stash), so check if you have some push logs there (most repository management tools have this information; no idea about Stash though). – poke Apr 22 '16 at 13:42
  • Thanks poke. I have already escalated to our onsite team to check logs if there is any. – Jimit Joshi Apr 22 '16 at 13:47
  • [Relevant.](https://imgur.com/XFQLB) – Greg Bacon Apr 22 '16 at 14:22

1 Answers1

1

You cant know if for sure for some reasons:

  1. You can always "fake" the name and email if you are not using ssh key.

     git commit -c user.name <faked name> -c user.email <fake email> ...

  2. If the user has checkout and old commit and the forced push the commited will be the one who commited the last push (again assuming using http/https)

What you can do it to check the local repositories of the developers with the `git reflog``

--

You can try and read out the stash logs as described here
https://confluence.atlassian.com/stashkb/how-to-read-the-stash-log-formats-317951177.html

Again - this will be helpful if you use ssh keys. Otherwise its useless.

git reflog

git reflog will display any change which updated the HEAD , in your case pointing out who changed and commited the wrong commit.

enter image description here

How to prevent it for next time?

install this plugin for stash

Protect specific branches from force pushes

https://marketplace.atlassian.com/plugins/com.carolynvs.force-field/server/overview

Community
  • 1
  • 1
CodeWizard
  • 128,036
  • 21
  • 144
  • 167
  • Thanks CodeWizard, we already did the needful to avoid force push. I just wanted to know if there is a way to know the user who did the force push. I guess you are right, there isn't any straight forward way to identify it. Reflog can help. However in my case it seems someone from client end has done it so couldn't ask to investigate their local repo. :) – Jimit Joshi Apr 22 '16 at 13:36
  • some useful conversation on git for human being on the same. https://groups.google.com/forum/?fromgroups#!topic/git-users/2bQCdxxOAVA – Jimit Joshi Apr 22 '16 at 13:48
  • Correct me if I'm wrong, but reflog only shows your local state changes. – Nikola Diklich Feb 09 '23 at 10:36
  • You are absolutely right – CodeWizard Feb 10 '23 at 09:41