Harden 'safe-expunging-process'

[TomHennen]

In #1094 (comment) @marcelamelara said

I understand the practical reasons for needing to make exceptions in specific edge cases, but I also worry that the safe expunging process may still be worded too broadly. As in, the level of trustworthiness in a source repo at L2 still isn't super high, so what's to stop a rogue/malicious repo admin from abusing the safe expunging exception, especially since there's no documentation requirement? I'm wondering if it might make sense to raise the level at which such exceptions are permitted to make sure certain controls are in place and/or narrow the scope of the safe expunging process.

Let's make sure we're happy with this process before release.

[adityasaky]

More a follow up question about the current text:

Administrators have the ability to expunge (remove) content from a repository and its change history without leaving a record of the removed content.

I'm trying to understand the "without leaving a record" requirement. Would we have no trace of an object whatsoever? As in, not even its git ID / digest?

[TomHennen]

More a follow up question about the current text:

Administrators have the ability to expunge (remove) content from a repository and its change history without leaving a record of the removed content.

I'm trying to understand the "without leaving a record" requirement. Would we have no trace of an object whatsoever? As in, not even its git ID / digest?

I think part of the desire is to not call undue attention to the removal, which might be either especially important given the distributed nature of git (folks may have their own copy that has the removed content) or completely useless given the distributed nature of git (folks can just diff the things). Given the two extremes I think it's hard to actually say and perhaps we should leave that part up to the implementors. Let me make a proposal.