The problem is that all of my version control repos are in subversion, and I hate losing history. On some, I went through a painful CVS->SVN migration when I first started using subversion, and I was pleasantly surprised that git makes it quite a bit easier. I found this blog posting that helped me (for the most part… if you don’t use tags and branches, etc. you want to pay attention when doing some of the steps… took me a bit to figure that out). Most notably, in steps four and five when changing the “trunk” to “master”; it assumes you have the standard trunk/, tags/, branches/ layout (which I do in some repos, and not in others). If you use that convention, it works fine. If not, you can run into problems like I did.

The posting indicates to use:

git svn clone [SVN repo URL] --no-metadata -A authors-transform.txt \
   --stdlayout ~/temp
...
git init --bare ~/new-bare.git
cd ~/new-bare.git
git symbolic-ref HEAD refs/heads/trunk
cd ~/temp
git remote add bare ~/new-bare.git
git config remote.bare.push 'refs/remotes/*:refs/heads/*'
git push bare
cd ~/new-bare.git
git branch -m trunk master

But this didn’t work for me, as –stdlayout isn’t so standard in my case (no tags/trunk/branches, so the top-level is the “trunk”). Instead I had to do:

git svn clone [svn repo] -A authors-transform.txt ~/tmp/git
cd ~/tmp/git
git init --bare ~/git/scripts.git
git remote add bare ~/git/scripts.git
git config remote.bare.push 'refs/remotes/*:refs/heads/*'
git push bare
cd ~/git/scripts.git
git branch -m git-svn master

In this case, the only branch is the “git-svn” branch, so we want to turn “git-svn” into “master” (rather than trying to hunt down some non-existant branch called “trunk”). There might have been a better way to do this, but I’m a n00b so forgive me. All the explanation for the above is in that blog post I mentioned before (I’m mostly noting this as undoubtably I’ll bump my head against this again).

Some other useful links I found were this git guide and a piece on setting up gitweb on Fedora (works on RHEL also). Gitweb was essential, as I’m used to using viewvc with my subversion repos.

So will I use git for all my repos? Probably not. There are some old ones that don’t need to be converted because it’s all legacy code, and there are some others that I’ve built up with too much automation. I would like to try to extract some pieces of existing subversion repos into git, however. The AIDE+gpg scripts are one; they’re in the Annvix tools repo, and I’d like to try to break it out into it’s own git repo with history… not sure if this is possible but I’ll poke around and see what I can come up with. There are a few other Annvix tools that I’d do the same with (the rsec tool for one). Since Annvix isn’t in development anymore, I’d like to “untie” those tools from it and offer them as stand-alone things (probably on github or something).

So that’s my Saturday adventures for this weekend. =)

Strangely enough, if you have FileVault enabled for full-disk encryption, the guest account login still shows up when the system starts. This leads me to believe that some of the system preferences and a copy of Safari are stored in the Lion recovery partition. Annoyingly enough, this includes keys for wireless access points. I don’t know if there is a way to get that information (I suspect not, but you never know), but this means that some things are being stored outside of the FileVault, which concerns me somewhat.

• MIT Kerberos has been replaced with Heimdal
• Heimdal seems to prefer UDP over TCP; so if your KDC has a firewall in place to block UDP ports 88 and 749, you probably want to change your firewall rules to allow access to UDP (or you get strange errors: kinit says it can’t reach any defined KDC, Ticket Viewer says you provided the wrong password)
• /Library/Preferences/edu.mit.Kerberos is still a valid configuration file, however you need to remove the quotes (e.g if you have default_realm = "FOO.CA" you need to change that to default_realm = FOO.CA).
• Subversion (either Lion-supplied or via Fink) does not seem to do GSSAPI negotiation anymore
• Google Chrome on Lion does not seem to do GSSAPI negotiation anymore
• Safari on Lion does work with Kerberized (mod_auth_kerb) websites
• Supposedly you do not need to change /etc/authorization anymore; Lion is using a PAM stack that should give you a ticket upon login (provided your kerberos password and login password are the same (or presumably it is store in your Keychain) — I’ve not tested this yet
• Someone indicated that you can prefix the KDC hostname in /Library/Preferences/edu.mit.Kerberos with “tcp/host” to make Heimdal talk over TCP (preventing the need to open UDP ports), but there is also another indication that this doesn’t work — I’ve not tested this yet either

Anyways, the point is it’s messy. There is an ongoing discussion on the Apple support forums here: https://discussions.apple.com/thread/3189202 so if you’re experiencing some oddness (or getting things to work!) please either note in the comments here or on that discussion thread. I would really like to get subversion and Chrome working with kerberos auth again — those are the only two things preventing me from going forward with Lion on other systems.

The first is Introduction to OS X Access Control Lists (ACLs) which introduces you to OS X’s implementation of filesystem access control lists. OS X, like Linux, has ACLs that can be used to secure files beyond standard owner/group/world permissions. While the Finder lets you manipulate ACLs a little bit, the CLI tools are much more extensive.

The second is Finding hidden commands with the Option key which looks at some tricks hidden in OS X that are available just by holding down the Option key. There are some neat little nuggets you can expose when holding down that Option key and clicking on things, and this tip illustrates a few.