I accidentally committed sensitive information to a repository and then did a force push to remove that commit from the public repository.
After that I changed all exposed passwords.
This is a technical question about git. Will that record of the deleted commit remain existing inside my local git repository? And will it disappear after a period of time? Where is this documented?
After a push --force, the old historys' commits are still part of the repository. They are just not reachable via any branch. (There is a discussion about dangling commits resulting from a push --force here). When there is no reference to a commit anymore, a commit becomes dangling and will be garbage collected by git gc(see here for git gc documentation).
However, as long as there are any references to a commit, it will not be garbage collected. This is the case if there is no branch and no tag pointing to the commit and its not referenced from the reflog any more. The reflog part is explained in this discussion.
So, the answer is yes, your old commits will continue to exist, and yes, they will disappear after a period of time, but it's hard to tell when. You can try to remove all references by hand (via branch/tag deletion, if relevant, and git reflog --expire=<time> for the reflog reference, see here).
For a deeper understanding of whats going on deep down, I can recommend this article.
