Edit: as of git 1.8.2, git supports transfer.hiderefs
(spelled transfer.hideRefs
in the git config documentation). It was somewhat buggy until git 2.3.5 / 2.4.0 (as in, avoid it if you allow smart-http transfer, until you have 2.3.5 or 2.4.0 installed on the server).
To hide server/live:
git config --add transfer.hiderefs refs/heads/server/live
This is not perfect hiding: it exposes the existence of the name to push probes (as does receive.hiderefs
). See also uploadpack.allowTipSHA1InWant
.
No: the standard git remote protocols allow incoming querents to see all references. (You could fake it by removing the reference while serving clients, then re-inserting it, but you'd have to avoid any garbage collections from running if that is the only reference to the commit in question, and of course the reference would be unavailable to your own code at that time as well. It would be simpler to just clone the repo, and then remove the ref and serve from the "de-live-d" clone. Equivalently, but even simpler and probably faster, use a different repo to hold the "live" branch in the first place—that repo can fetch from the shared one as usual, but have its own private "live" branch.)
You can prevent someone or anyone from updating any references you like, through the usual pre-receive and update hooks. But any reference you have, someone else can see.