NAME

git-push - Update remote refs along with associated objects

SYNOPSIS

  1. git push [--all | --mirror | --tags] [--follow-tags] [--atomic] [-n | --dry-run] [--receive-pack=<git-receive-pack>]
  2.        [--repo=<repository>] [-f | --force] [-d | --delete] [--prune] [-v | --verbose]
  3.        [-u | --set-upstream] [-o <string> | --push-option=<string>]
  4.        [--[no-]signed|--signed=(true|false|if-asked)]
  5.        [--force-with-lease[=<refname>[:<expect>]]]
  6.        [--no-verify] [<repository> [<refspec>…​]]

DESCRIPTION

Updates remote refs using local refs, while sending objectsnecessary to complete the given refs.

You can make interesting things happen to a repositoryevery time you push into it, by setting up hooks there. Seedocumentation for git-receive-pack[1].

When the command line does not specify where to push with the<repository> argument, branch.*.remote configuration for thecurrent branch is consulted to determine where to push. If theconfiguration is missing, it defaults to origin.

When the command line does not specify what to push with <refspec>…arguments or —all, —mirror, —tags options, the command findsthe default <refspec> by consulting remote.*.push configuration,and if it is not found, honors push.default configuration to decidewhat to push (See git-config[1] for the meaning of push.default).

When neither the command-line nor the configuration specify what topush, the default behavior is used, which corresponds to the simplevalue for push.default: the current branch is pushed to thecorresponding upstream branch, but as a safety measure, the push isaborted if the upstream branch does not have the same name as thelocal one.

OPTIONS

  • The "remote" repository that is destination of a pushoperation. This parameter can be either a URL(see the section GIT URLS below) or the nameof a remote (see the section REMOTES below).

  • …​

  • Specify what destination ref to update with what source object.The format of a parameter is an optional plus+, followed by the source object , followedby a colon :, followed by the destination ref .

The is often the name of the branch you would want to push, butit can be any arbitrary "SHA-1 expression", such as master~4 orHEAD (see gitrevisions[7]).

The tells which ref on the remote side is updated with thispush. Arbitrary expressions cannot be used here, an actual ref mustbe named.If git push [<repository>] without any <refspec> argument is set toupdate some ref at the destination with <src> withremote.<repository>.push configuration variable, :<dst> part canbe omitted—​such a push will update a ref that <src> normally updateswithout any <refspec> on the command line. Otherwise, missing:<dst> means to update the same ref as the <src>.

If doesn’t start with refs/ (e.g. refs/heads/master) we willtry to infer where in refs/* on the destination itbelongs based on the type of being pushed and whether is ambiguous.

  • If unambiguously refers to a ref on the remote,then push to that ref.

  • If resolves to a ref starting with refs/heads/ or refs/tags/,then prepend that to .

  • Other ambiguity resolutions might be added in the future, but fornow any other cases will error out with an error indicating what wetried, and depending on the advice.pushUnqualifiedRefnameconfiguration (see git-config[1]) suggest what refs/namespace you may have wanted to push to.

The object referenced by is used to update the referenceon the remote side. Whether this is allowed depends on where inrefs/* the reference lives as described in detail below, inthose sections "update" means any modifications except deletes, whichas noted after the next few sections are treated differently.

The refs/heads/* namespace will only accept commit objects, andupdates only if they can be fast-forwarded.

The refs/tags/* namespace will accept any kind of object (ascommits, trees and blobs can be tagged), and any updates to them willbe rejected.

It’s possible to push any type of object to any namespace outside ofrefs/{tags,heads}/. In the case of tags and commits, these will betreated as if they were the commits inside refs/heads/ for thepurposes of whether the update is allowed.

I.e. a fast-forward of commits and tags outside refs/{tags,heads}/*is allowed, even in cases where what’s being fast-forwarded is not acommit, but a tag object which happens to point to a new commit whichis a fast-forward of the commit the last tag (or commit) it’sreplacing. Replacing a tag with an entirely different tag is alsoallowed, if it points to the same commit, as well as pushing a peeledtag, i.e. pushing the commit that existing tag object points to, or anew tag object which an existing commit points to.

Tree and blob objects outside of refs/{tags,heads}/ will be treatedthe same way as if they were inside refs/tags/, any update of themwill be rejected.

All of the rules described above about what’s not allowed as an updatecan be overridden by adding an the optional leading + to a refspec(or using —force command line option). The only exception to thisis that no amount of forcing will make the refs/heads/* namespaceaccept a non-commit object. Hooks and configuration can also overrideor amend these rules, see e.g. receive.denyNonFastForwards ingit-config[1] and pre-receive and update ingithooks[5].

Pushing an empty allows you to delete the ref from theremote repository. Deletions are always accepted without a leading +in the refspec (or —force), except when forbidden by configurationor hooks. See receive.denyDeletes in git-config[1] andpre-receive and update in githooks[5].

The special refspec : (or +: to allow non-fast-forward updates)directs Git to push "matching" branches: for every branch that exists onthe local side, the remote side is updated if a branch of the same namealready exists on the remote side.

tag <tag> means the same as refs/tags/<tag>:refs/tags/<tag>.

  • —all

  • Push all branches (i.e. refs under refs/heads/); cannot beused with other .

  • —prune

  • Remove remote branches that don’t have a local counterpart. For examplea remote branch tmp will be removed if a local branch with the samename doesn’t exist any more. This also respects refspecs, e.g.git push —prune remote refs/heads/:refs/tmp/ wouldmake sure that remote refs/tmp/foo will be removed if refs/heads/foodoesn’t exist.

  • —mirror

  • Instead of naming each ref to push, specifies that allrefs under refs/ (which includes but is notlimited to refs/heads/, refs/remotes/, and refs/tags/)be mirrored to the remote repository. Newly created localrefs will be pushed to the remote end, locally updated refswill be force updated on the remote end, and deleted refswill be removed from the remote end. This is the defaultif the configuration option remote.<remote>.mirror isset.

  • -n

  • —dry-run

  • Do everything except actually send the updates.

  • —porcelain

  • Produce machine-readable output. The output status line for each refwill be tab-separated and sent to stdout instead of stderr. The fullsymbolic names of the refs will be given.

  • -d

  • —delete

  • All listed refs are deleted from the remote repository. This isthe same as prefixing all refs with a colon.

  • —tags

  • All refs under refs/tags are pushed, inaddition to refspecs explicitly listed on the commandline.

  • —follow-tags

  • Push all the refs that would be pushed without this option,and also push annotated tags in refs/tags that are missingfrom the remote but are pointing at commit-ish that arereachable from the refs being pushed. This can also be specifiedwith configuration variable push.followTags. For moreinformation, see push.followTags in git-config[1].

  • —[no-]signed

  • —signed=(true|false|if-asked)

  • GPG-sign the push request to update refs on the receivingside, to allow it to be checked by the hooks and/or belogged. If false or —no-signed, no signing will beattempted. If true or —signed, the push will fail if theserver does not support signed pushes. If set to if-asked,sign if and only if the server supports signed pushes. The pushwill also fail if the actual call to gpg —sign fails. Seegit-receive-pack[1] for the details on the receiving end.

  • —[no-]atomic

  • Use an atomic transaction on the remote side if available.Either all refs are updated, or on error, no refs are updated.If the server does not support atomic pushes the push will fail.

  • -o

  • —push-option=

  • Transmit the given string to the server, which passes them tothe pre-receive as well as the post-receive hook. The given stringmust not contain a NUL or LF character.When multiple —push-option=<option> are given, they areall sent to the other side in the order listed on thecommand line.When no —push-option=<option> is given from the commandline, the values of configuration variable push.pushOptionare used instead.

  • —receive-pack=

  • —exec=

  • Path to the git-receive-pack program on the remoteend. Sometimes useful when pushing to a remoterepository over ssh, and you do not have the program ina directory on the default $PATH.

  • —[no-]force-with-lease

  • —force-with-lease=
  • —force-with-lease=:
  • Usually, "git push" refuses to update a remote ref that isnot an ancestor of the local ref used to overwrite it.

This option overrides this restriction if the current value of theremote ref is the expected value. "git push" fails otherwise.

Imagine that you have to rebase what you have already published.You will have to bypass the "must fast-forward" rule in order toreplace the history you originally published with the rebased history.If somebody else built on top of your original history while you arerebasing, the tip of the branch at the remote may advance with hercommit, and blindly pushing with —force will lose her work.

This option allows you to say that you expect the history you areupdating is what you rebased and want to replace. If the remote refstill points at the commit you specified, you can be sure that noother people did anything to the ref. It is like taking a "lease" onthe ref without explicitly locking it, and the remote ref is updatedonly if the "lease" is still valid.

—force-with-lease alone, without specifying the details, will protectall remote refs that are going to be updated by requiring theircurrent value to be the same as the remote-tracking branch we havefor them.

—force-with-lease=<refname>, without specifying the expected value, willprotect the named ref (alone), if it is going to be updated, byrequiring its current value to be the same as the remote-trackingbranch we have for it.

—force-with-lease=<refname>:<expect> will protect the named ref (alone),if it is going to be updated, by requiring its current value to bethe same as the specified value <expect> (which is allowed to bedifferent from the remote-tracking branch we have for the refname,or we do not even have to have such a remote-tracking branch whenthis form is used). If <expect> is the empty string, then the named refmust not already exist.

Note that all forms other than —force-with-lease=<refname>:<expect>that specifies the expected current value of the ref explicitly arestill experimental and their semantics may change as we gain experiencewith this feature.

"—no-force-with-lease" will cancel all the previous —force-with-lease on thecommand line.

A general note on safety: supplying this option without an expectedvalue, i.e. as —force-with-lease or —force-with-lease=<refname>interacts very badly with anything that implicitly runs git fetch onthe remote to be pushed to in the background, e.g. git fetch originon your repository in a cronjob.

The protection it offers over —force is ensuring that subsequentchanges your work wasn’t based on aren’t clobbered, but this istrivially defeated if some background process is updating refs in thebackground. We don’t have anything except the remote tracking info togo by as a heuristic for refs you’re expected to have seen & arewilling to clobber.

If your editor or some other system is running git fetch in thebackground for you a way to mitigate this is to simply set up anotherremote:

  1. git remote add origin-push $(git config remote.origin.url)
  2. git fetch origin-push

Now when the background process runs git fetch origin the referenceson origin-push won’t be updated, and thus commands like:

  1. git push --force-with-lease origin-push

Will fail unless you manually run git fetch origin-push. This methodis of course entirely defeated by something that runs git fetch—all, in that case you’d need to either disable it or do somethingmore tedious like:

  1. git fetch              # update 'master' from remote
  2. git tag base master    # mark our base point
  3. git rebase -i master   # rewrite some commits
  4. git push --force-with-lease=master:base master:master

I.e. create a base tag for versions of the upstream code that you’veseen and are willing to overwrite, then rewrite history, and finallyforce push changes to master if the remote version is still atbase, regardless of what your local remotes/origin/master has beenupdated to in the background.

  • -f
  • —force
  • Usually, the command refuses to update a remote ref that isnot an ancestor of the local ref used to overwrite it.Also, when —force-with-lease option is used, the command refusesto update a remote ref whose current value does not matchwhat is expected.

This flag disables these checks, and can cause the remote repositoryto lose commits; use it with care.

Note that —force applies to all the refs that are pushed, henceusing it with push.default set to matching or with multiple pushdestinations configured with remote.*.push may overwrite refsother than the current branch (including local refs that arestrictly behind their remote counterpart). To force a push to onlyone branch, use a + in front of the refspec to push (e.g git pushorigin +master to force a push to the master branch). See the<refspec>… section above for details.

  • —repo=

  • This option is equivalent to the argument. If bothare specified, the command-line argument takes precedence.

  • -u

  • —set-upstream

  • For every branch that is up to date or successfully pushed, addupstream (tracking) reference, used by argument-lessgit-pull[1] and other commands. For more information,see branch.<name>.merge in git-config[1].

  • —[no-]thin

  • These options are passed to git-send-pack[1]. A thin transfersignificantly reduces the amount of sent data when the sender andreceiver share many of the same objects in common. The default is—thin.

  • -q

  • —quiet

  • Suppress all output, including the listing of updated refs,unless an error occurs. Progress is not reported to the standarderror stream.

  • -v

  • —verbose

  • Run verbosely.

  • —progress

  • Progress status is reported on the standard error streamby default when it is attached to a terminal, unless -qis specified. This flag forces progress status even if thestandard error stream is not directed to a terminal.

  • —no-recurse-submodules

  • —recurse-submodules=check|on-demand|only|no

  • May be used to make sure all submodule commits used by therevisions to be pushed are available on a remote-tracking branch.If check is used Git will verify that all submodule commits thatchanged in the revisions to be pushed are available on at least oneremote of the submodule. If any commits are missing the push willbe aborted and exit with non-zero status. If on-demand is usedall submodules that changed in the revisions to be pushed will bepushed. If on-demand was not able to push all necessary revisions it willalso be aborted and exit with non-zero status. If only is used allsubmodules will be recursively pushed while the superproject is leftunpushed. A value of no or using —no-recurse-submodules can be usedto override the push.recurseSubmodules configuration variable when nosubmodule recursion is required.

  • —[no-]verify

  • Toggle the pre-push hook (see githooks[5]). Thedefault is —verify, giving the hook a chance to prevent thepush. With —no-verify, the hook is bypassed completely.

  • -4

  • —ipv4

  • Use IPv4 addresses only, ignoring IPv6 addresses.

  • -6

  • —ipv6
  • Use IPv6 addresses only, ignoring IPv4 addresses.

GIT URLS

In general, URLs contain information about the transport protocol, theaddress of the remote server, and the path to the repository.Depending on the transport protocol, some of this information may beabsent.

Git supports ssh, git, http, and https protocols (in addition, ftp,and ftps can be used for fetching, but this is inefficient anddeprecated; do not use it).

The native transport (i.e. git:// URL) does no authentication andshould be used with caution on unsecured networks.

The following syntaxes may be used with them:

  • ssh://[user@]host.xz[:port]/path/to/repo.git/

  • git://host.xz[:port]/path/to/repo.git/

  • http[s]://host.xz[:port]/path/to/repo.git/

  • ftp[s]://host.xz[:port]/path/to/repo.git/

An alternative scp-like syntax may also be used with the ssh protocol:

  • [user@]host.xz:path/to/repo.git/

This syntax is only recognized if there are no slashes before thefirst colon. This helps differentiate a local path that contains acolon. For example the local path foo:bar could be specified as anabsolute path or ./foo:bar to avoid being misinterpreted as an sshurl.

The ssh and git protocols additionally support ~username expansion:

  • ssh://[user@]host.xz[:port]/~[user]/path/to/repo.git/

  • git://host.xz[:port]/~[user]/path/to/repo.git/

  • [user@]host.xz:/~[user]/path/to/repo.git/

For local repositories, also supported by Git natively, the followingsyntaxes may be used:

  • /path/to/repo.git/

  • file:///path/to/repo.git/

These two syntaxes are mostly equivalent, except when cloning, whenthe former implies —local option. See git-clone[1] fordetails.

When Git doesn’t know how to handle a certain transport protocol, itattempts to use the remote-<transport> remote helper, if oneexists. To explicitly request a remote helper, the following syntaxmay be used:

  • ::

where <address> may be a path, a server and path, or an arbitraryURL-like string recognized by the specific remote helper beinginvoked. See gitremote-helpers[7] for details.

If there are a large number of similarly-named remote repositories andyou want to use a different format for them (such that the URLs youuse will be rewritten into URLs that work), you can create aconfiguration section of the form:

  1.     [url "<actual url base>"]
  2.         insteadOf = <other url base>

For example, with this:

  1.     [url "git://git.host.xz/"]
  2.         insteadOf = host.xz:/path/to/
  3.         insteadOf = work:

a URL like "work:repo.git" or like "host.xz:/path/to/repo.git" will berewritten in any context that takes a URL to be "git://git.host.xz/repo.git".

If you want to rewrite URLs for push only, you can create aconfiguration section of the form:

  1.     [url "<actual url base>"]
  2.         pushInsteadOf = <other url base>

For example, with this:

  1.     [url "ssh://example.org/"]
  2.         pushInsteadOf = git://example.org/

a URL like "git://example.org/path/to/repo.git" will be rewritten to"ssh://example.org/path/to/repo.git" for pushes, but pulls will stilluse the original URL.

REMOTES

The name of one of the following can be used insteadof a URL as <repository> argument:

  • a remote in the Git configuration file: $GIT_DIR/config,

  • a file in the $GIT_DIR/remotes directory, or

  • a file in the $GIT_DIR/branches directory.

All of these also allow you to omit the refspec from the command linebecause they each contain a refspec which git will use by default.

Named remote in configuration file

You can choose to provide the name of a remote which you had previouslyconfigured using git-remote[1], git-config[1]or even by a manual edit to the $GIT_DIR/config file. The URL ofthis remote will be used to access the repository. The refspecof this remote will be used by default when you donot provide a refspec on the command line. The entry in theconfig file would appear like this:

  1.     [remote "<name>"]
  2.         url = <url>
  3.         pushurl = <pushurl>
  4.         push = <refspec>
  5.         fetch = <refspec>

The <pushurl> is used for pushes only. It is optional and defaultsto <url>.

Named file in $GIT_DIR/remotes

You can choose to provide the name of afile in $GIT_DIR/remotes. The URLin this file will be used to access the repository. The refspecin this file will be used as default when you do notprovide a refspec on the command line. This file should have thefollowing format:

  1.     URL: one of the above URL format
  2.     Push: <refspec>
  3.     Pull: <refspec>

Push: lines are used by git push andPull: lines are used by git pull and git fetch.Multiple Push: and Pull: lines maybe specified for additional branch mappings.

Named file in $GIT_DIR/branches

You can choose to provide the name of afile in $GIT_DIR/branches.The URL in this file will be used to access the repository.This file should have the following format:

  1.     <url>#<head>

<url> is required; #<head> is optional.

Depending on the operation, git will use one of the followingrefspecs, if you don’t provide one on the command line.<branch> is the name of this file in $GIT_DIR/branches and<head> defaults to master.

git fetch uses:

  1.     refs/heads/<head>:refs/heads/<branch>

git push uses:

  1.     HEAD:refs/heads/<head>

OUTPUT

The output of "git push" depends on the transport method used; thissection describes the output when pushing over the Git protocol (eitherlocally or via ssh).

The status of the push is output in tabular form, with each linerepresenting the status of a single ref. Each line is of the form:

  1.  <flag> <summary> <from> -> <to> (<reason>)

If —porcelain is used, then each line of the output is of the form:

  1.  <flag> \t <from>:<to> \t <summary> (<reason>)

The status of up-to-date refs is shown only if —porcelain or —verboseoption is used.

  • flag
  • A single character indicating the status of the ref:
  • (space)

  • for a successfully pushed fast-forward;

  • +

  • for a successful forced update;

  • -

  • for a successfully deleted ref;

  • *

  • for a successfully pushed new ref;

  • !

  • for a ref that was rejected or failed to push; and

  • =

  • for a ref that was up to date and did not need pushing.
  • summary
  • For a successfully pushed ref, the summary shows the old and newvalues of the ref in a form suitable for using as an argument togit log (this is <old>..<new> in most cases, and<old>…<new> for forced non-fast-forward updates).

For a failed update, more details are given:

  • rejected

  • Git did not try to send the ref at all, typically because itis not a fast-forward and you did not force the update.

  • remote rejected

  • The remote end refused the update. Usually caused by a hookon the remote side, or because the remote repository has oneof the following safety options in effect:receive.denyCurrentBranch (for pushes to the checked outbranch), receive.denyNonFastForwards (for forcednon-fast-forward updates), receive.denyDeletes orreceive.denyDeleteCurrent. See git-config[1].

  • remote failure

  • The remote end did not report the successful update of the ref,perhaps because of a temporary error on the remote side, abreak in the network connection, or other transient error.
  • from

  • The name of the local ref being pushed, minus itsrefs/<type>/ prefix. In the case of deletion, thename of the local ref is omitted.

  • to

  • The name of the remote ref being updated, minus itsrefs/<type>/ prefix.

  • reason

  • A human-readable explanation. In the case of successfully pushedrefs, no explanation is needed. For a failed ref, the reason forfailure is described.

NOTE ABOUT FAST-FORWARDS

When an update changes a branch (or more in general, a ref) that used topoint at commit A to point at another commit B, it is called afast-forward update if and only if B is a descendant of A.

In a fast-forward update from A to B, the set of commits that the originalcommit A built on top of is a subset of the commits the new commit Bbuilds on top of. Hence, it does not lose any history.

In contrast, a non-fast-forward update will lose history. For example,suppose you and somebody else started at the same commit X, and you builta history leading to commit B while the other person built a historyleading to commit A. The history looks like this:

  1.       B
  2.      /
  3.  ---X---A

Further suppose that the other person already pushed changes leading to Aback to the original repository from which you two obtained the originalcommit X.

The push done by the other person updated the branch that used to point atcommit X to point at commit A. It is a fast-forward.

But if you try to push, you will attempt to update the branch (thatnow points at A) with commit B. This does not fast-forward. If you didso, the changes introduced by commit A will be lost, because everybodywill now start building on top of B.

The command by default does not allow an update that is not a fast-forwardto prevent such loss of history.

If you do not want to lose your work (history from X to B) or the work bythe other person (history from X to A), you would need to first fetch thehistory from the repository, create a history that contains changes doneby both parties, and push the result back.

You can perform "git pull", resolve potential conflicts, and "git push"the result. A "git pull" will create a merge commit C between commits Aand B.

  1.       B---C
  2.      /   /
  3.  ---X---A

Updating A with the resulting merge commit will fast-forward and yourpush will be accepted.

Alternatively, you can rebase your change between X and B on top of A,with "git pull —rebase", and push the result back. The rebase willcreate a new commit D that builds the change between X and B on top ofA.

  1.       B   D
  2.      /   /
  3.  ---X---A

Again, updating A with this commit will fast-forward and your push will beaccepted.

There is another common situation where you may encounter non-fast-forwardrejection when you try to push, and it is possible even when you arepushing into a repository nobody else pushes into. After you push commitA yourself (in the first picture in this section), replace it with "gitcommit —amend" to produce commit B, and you try to push it out, becauseforgot that you have pushed A out already. In such a case, and only ifyou are certain that nobody in the meantime fetched your earlier commit A(and started building on top of it), you can run "git push —force" tooverwrite it. In other words, "git push —force" is a method reserved fora case where you do mean to lose history.

EXAMPLES

  • git push

  • Works like git push <remote>, where is thecurrent branch’s remote (or origin, if no remote isconfigured for the current branch).

  • git push origin

  • Without additional configuration, pushes the current branch tothe configured upstream (remote.origin.merge configurationvariable) if it has the same name as the current branch, anderrors out without pushing otherwise.

The default behavior of this command when no is given can beconfigured by setting the push option of the remote, or the push.defaultconfiguration variable.

For example, to default to pushing only the current branch to originuse git config remote.origin.push HEAD. Any valid (likethe ones in the examples below) can be configured as the default forgit push origin.

  • git push origin :

  • Push "matching" branches to origin. See in the OPTIONS section above for adescription of "matching" branches.

  • git push origin master

  • Find a ref that matches master in the source repository(most likely, it would find refs/heads/master), and updatethe same ref (e.g. refs/heads/master) in origin repositorywith it. If master did not exist remotely, it would becreated.

  • git push origin HEAD

  • A handy way to push the current branch to the same name on theremote.

  • git push mothership master:satellite/master dev:satellite/dev

  • Use the source ref that matches master (e.g. refs/heads/master)to update the ref that matches satellite/master (most probablyrefs/remotes/satellite/master) in the mothership repository;do the same for dev and satellite/dev.

See the section describing <refspec>… above for a discussion ofthe matching semantics.

This is to emulate git fetch run on the mothership using gitpush that is run in the opposite direction in order to integratethe work done on satellite, and is often necessary when you canonly make connection in one way (i.e. satellite can ssh intomothership but mothership cannot initiate connection to satellitebecause the latter is behind a firewall or does not run sshd).

After running this git push on the satellite machine, you wouldssh into the mothership and run git merge there to complete theemulation of git pull that were run on mothership to pull changesmade on satellite.

  • git push origin HEAD:master

  • Push the current branch to the remote ref matching master in theorigin repository. This form is convenient to push the currentbranch without thinking about its local name.

  • git push origin master:refs/heads/experimental

  • Create the branch experimental in the origin repositoryby copying the current master branch. This form is onlyneeded to create a new branch or tag in the remote repository whenthe local name and the remote name are different; otherwise,the ref name on its own will work.

  • git push origin :experimental

  • Find a ref that matches experimental in the origin repository(e.g. refs/heads/experimental), and delete it.

  • git push origin +dev:master

  • Update the origin repository’s master branch with the dev branch,allowing non-fast-forward updates. This can leave unreferencedcommits dangling in the origin repository. Consider thefollowing situation, where a fast-forward is not possible:
  1.         o---o---o---A---B  origin/master
  2.              \
  3.               X---Y---Z  dev

The above command would change the origin repository to

  1.               A---B  (unnamed branch)
  2.              /
  3.         o---o---o---X---Y---Z  master

Commits A and B would no longer belong to a branch with a symbolic name,and so would be unreachable. As such, these commits would be removed bya git gc command on the origin repository.

SECURITY

The fetch and push protocols are not designed to prevent one side fromstealing data from the other repository that was not intended to beshared. If you have private data that you need to protect from a maliciouspeer, your best option is to store it in another repository. This appliesto both clients and servers. In particular, namespaces on a server are noteffective for read access control; you should only grant read access to anamespace to clients that you would trust with read access to the entirerepository.

The known attack vectors are as follows:

  • The victim sends "have" lines advertising the IDs of objects it has thatare not explicitly intended to be shared but can be used to optimize thetransfer if the peer also has them. The attacker chooses an object ID Xto steal and sends a ref to X, but isn’t required to send the content ofX because the victim already has it. Now the victim believes that theattacker has X, and it sends the content of X back to the attackerlater. (This attack is most straightforward for a client to perform on aserver, by creating a ref to X in the namespace the client has accessto and then fetching it. The most likely way for a server to perform iton a client is to "merge" X into a public branch and hope that the userdoes additional work on this branch and pushes it back to the serverwithout noticing the merge.)

  • As in #1, the attacker chooses an object ID X to steal. The victim sendsan object Y that the attacker already has, and the attacker falselyclaims to have X and not Y, so the victim sends Y as a delta against X.The delta reveals regions of X that are similar to Y to the attacker.

GIT

Part of the git[1] suite