How to reject a forced update by GIT on client side when doing a git fetch or git pull?

Question

It is possible to deny forced pushes on server-side by setting receive.denyNonFastForwards or by adding a git hook (or in a different way for special GIT servers like Gerrit or Github). I would like to reject a forced update on client side (see also here), when doing a git fetch or git pull or a git pull --rebase. If I don't have access to the GIT server to reject forced pushes (or if I don't trust the server because others have access too), I might want GIT to stop with an error before changing any refs when a forced push was done. This could help to notice attackers changing the remote or if I simple want to know if somebody changes my commits (yes, if I really want to avoid somebody else committing using my name, I need sign my commits using my key).

I seems not to be possible to run code after a fetch or pull command using hooks. I parse the output of git fetch and raise an error if "forced update" has been printed. But it would actually be better to detect this before refs are changed.

Is there a better way to do this?

Answer 1

max630's solution is fine, but let's just note that when you only want to check what would have been fetched/pulled you can, without any config hack, go for the dry run :

git fetch --dry-run

and you'll see what would have been, without modifying anything in your remote-tracking branches.

No similar trick for pull, but since a pull is a fetch + a merge, go for the dry-run fetch beforehand and you'll know what would have been pulled.

---

The limit of this technique, as kan rightfully noted in comments below, is its non-atomicity : the remote state could change in between your fetch --dry-run and the real thing seconds later. No harm to know it exists, anyway.

Answer 2

Edit the remote.fetch line gfrom git config to remove "+" from it, Then non-fastforward fetches would fail. It does not protect though from branch removal