The card cost me under $150CAD, including shipping from the US. This card is pretty sweet; it has four ports on it so you can have four external drives, but beyond that you can also set them up as RAID0, RAID1, RAID5, or RAID10, and JBOD. There also seems to be a way you can bond the four ports together if the cables all go to the same storage device (I don’t know of any such devices at the moment though, and I imagine they’re probably right up there in cost with a Thunderbolt storage device). Individually, the ports are 5Gb/s, bonded you can supposedly get 20GB/s.

So I did a few tests, and this card has seriously impressed me. I copied a 2GB file around in random ways to measure the speeds:

• From internal SATA2 drive to USB2 drive: 1:02.98s
• From internal SATA2 drive to the same drive: 20.952s
• From internal SATA2 drive to another internal SATA2 drive: 25.050s
• From internal SATA2 drive to USB3 drive: 19.652s

Talk about wow. Note it was the exact same drive, first connected to a USB2 port and then connected to a USB3 port. The speed increase on USB2 to USB3 is insane. What’s even more astonishing to me is that the transfer speeds were faster to the USB3 drive than to another internal drive. I suppose if the guts of this thing had SATA3 it would be a different story though. Since I don’t think I’ll be getting SATA3 in this thing anytime soon (and since I have run out of space for expansion cards due to the second double-high video card I’ve got in here), I suppose I’ll have to live with it. All in all, I think this was a good investment to make. If I run out of room internally, I don’t have to worry about just using external drives for “sometimes” access, but I imagine it would work well enough to run a virtual machine off of.

Yesterday I picked up the first SSD that I’ve bought (the other SSD in my Fedora box is a loaner from a friend). It’s a 240GB OCZ Agility 3, and it’s still over $1/GB which is a bit nuts, but since I have an extra SATA connection in my Mac Pro, I figured I’d give it a go. This rig is pretty good: 2 quad core Xeon CPUs, 32GB of RAM, and 8TB HDD space including the one external USB drive. The only real bottle-neck on this thing is disk I/O, so I figured I would give the whole SSD thing a go, since I knew I’d get better performance.

Using an impromptu timer on my phone, from chime to login screen, it took 3:07.7 minutes, and from when I hit enter at the login screen until all the apps were open and ready for use it took another 3:54.9 minutes (some of this is network-bound, as I waited for Chrome to reload its two windows with 27 tabs, and there are other hefty apps like iTunes (with a massive library), EagleFiler, Daylite, Mail, and quite a few others). So from turning the machine on to when I could use it was roughly 7 minutes. After installing the SSD and cloning my boot drive to it (and doing a lot of file moving so it would all fit!), then rebooting it once so any caches would be updated, I rebooted again and timed it.

From chime to login screen took 35.3 seconds. From login to all items ready for us took 43.0 seconds. So my boot time went from 7 minutes, to under 1.5 minutes all told. I think this is the best $300 I ever dropped. =)

The first is to setup some global options, some of which are nice for folks coming from Subversion. Having a global ignore file is useful. Mine has the following contents:

*~
*.orig
*.rej
*.swp
.#*
*.o
.DS_Store

Then adjust some global git options:

$ git config --global core.excludesfile ~/.gitignore
$ git config --global alias.st status
$ git config --global alias.ci commit
$ git config --global alias.co checkout
$ git config --global alias.br branch
$ git config --global user.name "Your Name"
$ git config --global user.email you@example.com
$ git config --global core.editor "vim"
$ git config --global color.branch auto
$ git config --global color.diff auto
$ git config --global color.interactive auto
$ git config --global color.status auto

The last few allow for colorized output, which I like (makes things like git status easier to read).

I also found out that I had screwed up the remote origin when setting up a new repository, and didn’t want to re-do everything, so found this useful one-liner:

$ git remote rm origin

Git n00bs like me will appreciate the above. =) (Note to self, express git urls as ssh://git.remote.com/path/to/repo.git rather than ssh://git.remote.com:/path/to/repo.git!)

Finally, I found an excellent resource called Create a new Git Remote Repository from some local files (or local git repository). Very accurate, very clear, and very easy to follow. Essentially I was taking a 4GB set of documents and wanted to turn it into a remote repository so that I could push/pull from my laptop and using this article, I was able to do so easily.

First, the location of AIDE+gpg in the subversion repo was “tools/AIDE+gpg” and it had one sub-directory, “trunk”. I never did end up using tags or branches or anything there. So the entire step from start to finish to do it was as follows:

git init AIDE
cd AIDE
echo "vdanen = Vincent Danen <[my email]>" >authors.txt
git svn init -T trunk svn+ssh://[repo]/tools/AIDE+gpg --no-metadata
git svn fetch -A authors.txt
git init --bare ../tmp
cd ../tmp
git symbolic-ref HEAD refs/heads/trunk
cd ../AIDE
git remote add bare ../tmp
git config remote.bare.push 'refs/remotes/*:refs/heads/*'
git push bare
cd ../tmp
git branch -a
git branch -m trunk master
mv tmp AIDE+gpg.git

Presto. Done. Apparently I should now put this repo somewhere public (like github). I will figure that part out after lunch.

The problem is that all of my version control repos are in subversion, and I hate losing history. On some, I went through a painful CVS->SVN migration when I first started using subversion, and I was pleasantly surprised that git makes it quite a bit easier. I found this blog posting that helped me (for the most part… if you don’t use tags and branches, etc. you want to pay attention when doing some of the steps… took me a bit to figure that out). Most notably, in steps four and five when changing the “trunk” to “master”; it assumes you have the standard trunk/, tags/, branches/ layout (which I do in some repos, and not in others). If you use that convention, it works fine. If not, you can run into problems like I did.

The posting indicates to use:

git svn clone [SVN repo URL] --no-metadata -A authors-transform.txt \
   --stdlayout ~/temp
...
git init --bare ~/new-bare.git
cd ~/new-bare.git
git symbolic-ref HEAD refs/heads/trunk
cd ~/temp
git remote add bare ~/new-bare.git
git config remote.bare.push 'refs/remotes/*:refs/heads/*'
git push bare
cd ~/new-bare.git
git branch -m trunk master

But this didn’t work for me, as –stdlayout isn’t so standard in my case (no tags/trunk/branches, so the top-level is the “trunk”). Instead I had to do:

git svn clone [svn repo] -A authors-transform.txt ~/tmp/git
cd ~/tmp/git
git init --bare ~/git/scripts.git
git remote add bare ~/git/scripts.git
git config remote.bare.push 'refs/remotes/*:refs/heads/*'
git push bare
cd ~/git/scripts.git
git branch -m git-svn master

In this case, the only branch is the “git-svn” branch, so we want to turn “git-svn” into “master” (rather than trying to hunt down some non-existant branch called “trunk”). There might have been a better way to do this, but I’m a n00b so forgive me. All the explanation for the above is in that blog post I mentioned before (I’m mostly noting this as undoubtably I’ll bump my head against this again).

Some other useful links I found were this git guide and a piece on setting up gitweb on Fedora (works on RHEL also). Gitweb was essential, as I’m used to using viewvc with my subversion repos.

So will I use git for all my repos? Probably not. There are some old ones that don’t need to be converted because it’s all legacy code, and there are some others that I’ve built up with too much automation. I would like to try to extract some pieces of existing subversion repos into git, however. The AIDE+gpg scripts are one; they’re in the Annvix tools repo, and I’d like to try to break it out into it’s own git repo with history… not sure if this is possible but I’ll poke around and see what I can come up with. There are a few other Annvix tools that I’d do the same with (the rsec tool for one). Since Annvix isn’t in development anymore, I’d like to “untie” those tools from it and offer them as stand-alone things (probably on github or something).

So that’s my Saturday adventures for this weekend. =)

Strangely enough, if you have FileVault enabled for full-disk encryption, the guest account login still shows up when the system starts. This leads me to believe that some of the system preferences and a copy of Safari are stored in the Lion recovery partition. Annoyingly enough, this includes keys for wireless access points. I don’t know if there is a way to get that information (I suspect not, but you never know), but this means that some things are being stored outside of the FileVault, which concerns me somewhat.

• MIT Kerberos has been replaced with Heimdal
• Heimdal seems to prefer UDP over TCP; so if your KDC has a firewall in place to block UDP ports 88 and 749, you probably want to change your firewall rules to allow access to UDP (or you get strange errors: kinit says it can’t reach any defined KDC, Ticket Viewer says you provided the wrong password)
• /Library/Preferences/edu.mit.Kerberos is still a valid configuration file, however you need to remove the quotes (e.g if you have default_realm = "FOO.CA" you need to change that to default_realm = FOO.CA).
• Subversion (either Lion-supplied or via Fink) does not seem to do GSSAPI negotiation anymore
• Google Chrome on Lion does not seem to do GSSAPI negotiation anymore
• Safari on Lion does work with Kerberized (mod_auth_kerb) websites
• Supposedly you do not need to change /etc/authorization anymore; Lion is using a PAM stack that should give you a ticket upon login (provided your kerberos password and login password are the same (or presumably it is store in your Keychain) — I’ve not tested this yet
• Someone indicated that you can prefix the KDC hostname in /Library/Preferences/edu.mit.Kerberos with “tcp/host” to make Heimdal talk over TCP (preventing the need to open UDP ports), but there is also another indication that this doesn’t work — I’ve not tested this yet either

Anyways, the point is it’s messy. There is an ongoing discussion on the Apple support forums here: https://discussions.apple.com/thread/3189202 so if you’re experiencing some oddness (or getting things to work!) please either note in the comments here or on that discussion thread. I would really like to get subversion and Chrome working with kerberos auth again — those are the only two things preventing me from going forward with Lion on other systems.

Two-factor authentication turns off a lot of people because they think it’s too hard but it honestly isn’t, and the security benefits it provides are outstanding. Two-factor authentication operates on two principles or components for an authentication “token” (or password for lack of a better term): one thing you know (your password) and one thing you don’t (a random time-based PIN that a hardware device generates for you). This means that if someone has my username and password, that information is utterly useless without having my hardware token (which can be, in the case of Google, an iPhone or Android phone, etc.). Which makes my account really quite secure, and certainly more secure than it would be with just a password.

If you sincerely care about your Google Apps security, you really owe it to yourself to check out the two-factor authentication support. It’s easy to setup, cheap to setup, and easy to use as well.