Search code examples
gitdeploymentremote-access

Can I hide a branch in a git repo for all remote clones?


I have a central repository at server and local repos at local. In the server repo there is a branch live, that pulls from master sometimes, adds some modifications and is then used to update a service.

The live branch of server is of no interest for the users in their local repositories. They should not see it nor be able to fetch it / push to it, in short, interact with it in any way.

Is there any way in Git to allow such a behaviour: Prevent a branch of server from being listed in the local repositories?

local$ git remote add server example.com
local$ git fetch server
local$ git branch --remotes
server/foo
server/live     # <-- don't show this branch
server/master

A solution on server would be preferred. But as of now, since there is no untrusted committer at the moment, solutions just hiding the live branch via config in local repos would work, too.


Solution

  • Edit: as of git 1.8.2, git supports transfer.hiderefs (spelled transfer.hideRefs in the git config documentation). It was somewhat buggy until git 2.3.5 / 2.4.0 (as in, avoid it if you allow smart-http transfer, until you have 2.3.5 or 2.4.0 installed on the server).

    To hide server/live:

    git config --add transfer.hiderefs refs/heads/server/live
    

    This is not perfect hiding: it exposes the existence of the name to push probes (as does receive.hiderefs). See also uploadpack.allowTipSHA1InWant.

    No: the standard git remote protocols allow incoming querents to see all references. (You could fake it by removing the reference while serving clients, then re-inserting it, but you'd have to avoid any garbage collections from running if that is the only reference to the commit in question, and of course the reference would be unavailable to your own code at that time as well. It would be simpler to just clone the repo, and then remove the ref and serve from the "de-live-d" clone. Equivalently, but even simpler and probably faster, use a different repo to hold the "live" branch in the first place—that repo can fetch from the shared one as usual, but have its own private "live" branch.)

    You can prevent someone or anyone from updating any references you like, through the usual pre-receive and update hooks. But any reference you have, someone else can see.