The first is to setup some global options, some of which are nice for folks coming from Subversion. Having a global ignore file is useful. Mine has the following contents:

*~
*.orig
*.rej
*.swp
.#*
*.o
.DS_Store

Then adjust some global git options:

$ git config --global core.excludesfile ~/.gitignore
$ git config --global alias.st status
$ git config --global alias.ci commit
$ git config --global alias.co checkout
$ git config --global alias.br branch
$ git config --global user.name "Your Name"
$ git config --global user.email you@example.com
$ git config --global core.editor "vim"
$ git config --global color.branch auto
$ git config --global color.diff auto
$ git config --global color.interactive auto
$ git config --global color.status auto

The last few allow for colorized output, which I like (makes things like git status easier to read).

I also found out that I had screwed up the remote origin when setting up a new repository, and didn’t want to re-do everything, so found this useful one-liner:

$ git remote rm origin

Git n00bs like me will appreciate the above. =) (Note to self, express git urls as ssh://git.remote.com/path/to/repo.git rather than ssh://git.remote.com:/path/to/repo.git!)

Finally, I found an excellent resource called Create a new Git Remote Repository from some local files (or local git repository). Very accurate, very clear, and very easy to follow. Essentially I was taking a 4GB set of documents and wanted to turn it into a remote repository so that I could push/pull from my laptop and using this article, I was able to do so easily.

First, the location of AIDE+gpg in the subversion repo was “tools/AIDE+gpg” and it had one sub-directory, “trunk”. I never did end up using tags or branches or anything there. So the entire step from start to finish to do it was as follows:

git init AIDE
cd AIDE
echo "vdanen = Vincent Danen <[my email]>" >authors.txt
git svn init -T trunk svn+ssh://[repo]/tools/AIDE+gpg --no-metadata
git svn fetch -A authors.txt
git init --bare ../tmp
cd ../tmp
git symbolic-ref HEAD refs/heads/trunk
cd ../AIDE
git remote add bare ../tmp
git config remote.bare.push 'refs/remotes/*:refs/heads/*'
git push bare
cd ../tmp
git branch -a
git branch -m trunk master
mv tmp AIDE+gpg.git

Presto. Done. Apparently I should now put this repo somewhere public (like github). I will figure that part out after lunch.

The problem is that all of my version control repos are in subversion, and I hate losing history. On some, I went through a painful CVS->SVN migration when I first started using subversion, and I was pleasantly surprised that git makes it quite a bit easier. I found this blog posting that helped me (for the most part… if you don’t use tags and branches, etc. you want to pay attention when doing some of the steps… took me a bit to figure that out). Most notably, in steps four and five when changing the “trunk” to “master”; it assumes you have the standard trunk/, tags/, branches/ layout (which I do in some repos, and not in others). If you use that convention, it works fine. If not, you can run into problems like I did.

The posting indicates to use:

git svn clone [SVN repo URL] --no-metadata -A authors-transform.txt \
   --stdlayout ~/temp
...
git init --bare ~/new-bare.git
cd ~/new-bare.git
git symbolic-ref HEAD refs/heads/trunk
cd ~/temp
git remote add bare ~/new-bare.git
git config remote.bare.push 'refs/remotes/*:refs/heads/*'
git push bare
cd ~/new-bare.git
git branch -m trunk master

But this didn’t work for me, as –stdlayout isn’t so standard in my case (no tags/trunk/branches, so the top-level is the “trunk”). Instead I had to do:

git svn clone [svn repo] -A authors-transform.txt ~/tmp/git
cd ~/tmp/git
git init --bare ~/git/scripts.git
git remote add bare ~/git/scripts.git
git config remote.bare.push 'refs/remotes/*:refs/heads/*'
git push bare
cd ~/git/scripts.git
git branch -m git-svn master

In this case, the only branch is the “git-svn” branch, so we want to turn “git-svn” into “master” (rather than trying to hunt down some non-existant branch called “trunk”). There might have been a better way to do this, but I’m a n00b so forgive me. All the explanation for the above is in that blog post I mentioned before (I’m mostly noting this as undoubtably I’ll bump my head against this again).

Some other useful links I found were this git guide and a piece on setting up gitweb on Fedora (works on RHEL also). Gitweb was essential, as I’m used to using viewvc with my subversion repos.

So will I use git for all my repos? Probably not. There are some old ones that don’t need to be converted because it’s all legacy code, and there are some others that I’ve built up with too much automation. I would like to try to extract some pieces of existing subversion repos into git, however. The AIDE+gpg scripts are one; they’re in the Annvix tools repo, and I’d like to try to break it out into it’s own git repo with history… not sure if this is possible but I’ll poke around and see what I can come up with. There are a few other Annvix tools that I’d do the same with (the rsec tool for one). Since Annvix isn’t in development anymore, I’d like to “untie” those tools from it and offer them as stand-alone things (probably on github or something).

So that’s my Saturday adventures for this weekend. =)

Strangely enough, if you have FileVault enabled for full-disk encryption, the guest account login still shows up when the system starts. This leads me to believe that some of the system preferences and a copy of Safari are stored in the Lion recovery partition. Annoyingly enough, this includes keys for wireless access points. I don’t know if there is a way to get that information (I suspect not, but you never know), but this means that some things are being stored outside of the FileVault, which concerns me somewhat.

• MIT Kerberos has been replaced with Heimdal
• Heimdal seems to prefer UDP over TCP; so if your KDC has a firewall in place to block UDP ports 88 and 749, you probably want to change your firewall rules to allow access to UDP (or you get strange errors: kinit says it can’t reach any defined KDC, Ticket Viewer says you provided the wrong password)
• /Library/Preferences/edu.mit.Kerberos is still a valid configuration file, however you need to remove the quotes (e.g if you have default_realm = "FOO.CA" you need to change that to default_realm = FOO.CA).
• Subversion (either Lion-supplied or via Fink) does not seem to do GSSAPI negotiation anymore
• Google Chrome on Lion does not seem to do GSSAPI negotiation anymore
• Safari on Lion does work with Kerberized (mod_auth_kerb) websites
• Supposedly you do not need to change /etc/authorization anymore; Lion is using a PAM stack that should give you a ticket upon login (provided your kerberos password and login password are the same (or presumably it is store in your Keychain) — I’ve not tested this yet
• Someone indicated that you can prefix the KDC hostname in /Library/Preferences/edu.mit.Kerberos with “tcp/host” to make Heimdal talk over TCP (preventing the need to open UDP ports), but there is also another indication that this doesn’t work — I’ve not tested this yet either

Anyways, the point is it’s messy. There is an ongoing discussion on the Apple support forums here: https://discussions.apple.com/thread/3189202 so if you’re experiencing some oddness (or getting things to work!) please either note in the comments here or on that discussion thread. I would really like to get subversion and Chrome working with kerberos auth again — those are the only two things preventing me from going forward with Lion on other systems.

Two-factor authentication turns off a lot of people because they think it’s too hard but it honestly isn’t, and the security benefits it provides are outstanding. Two-factor authentication operates on two principles or components for an authentication “token” (or password for lack of a better term): one thing you know (your password) and one thing you don’t (a random time-based PIN that a hardware device generates for you). This means that if someone has my username and password, that information is utterly useless without having my hardware token (which can be, in the case of Google, an iPhone or Android phone, etc.). Which makes my account really quite secure, and certainly more secure than it would be with just a password.

If you sincerely care about your Google Apps security, you really owe it to yourself to check out the two-factor authentication support. It’s easy to setup, cheap to setup, and easy to use as well.