It is possible to deny forced pushes on server-side by setting receive.denyNonFastForwards or by adding a git hook (or in a different way for special GIT servers like Gerrit or Github). I would like to reject a forced update on client side (see also here), when doing a git fetch or git pull or a git pull --rebase. If I don't have access to the GIT server to reject forced pushes (or if I don't trust the server because others have access too), I might want GIT to stop with an error before changing any refs when a forced push was done. This could help to notice attackers changing the remote or if I simple want to know if somebody changes my commits (yes, if I really want to avoid somebody else committing using my name, I need sign my commits using my key).
I seems not to be possible to run code after a fetch or pull command using hooks. I parse the output of git fetch and raise an error if "forced update" has been printed. But it would actually be better to detect this before refs are changed.
Is there a better way to do this?
Edit the remote.fetch line gfrom git config to remove "+" from it, Then non-fastforward fetches would fail. It does not protect though from branch removal