Noodles' Emptiness

I've moved (only a couple of blocks from where I was before), and as the new place has Webpass I've reluctantly given up my Sonic.net connection, along with its static IPv4 address and ISP IPv6 tunnel. Hard to resist a 200Mb/s ethernet connection for the same price I was paying for 18Mb/s ADSL2 though.

However that leaves my DGN3500 router somewhat inappropriate for providing my net connection. Freed from the need for an ADSL/cable router I decided it was time to build an all in one house server (I'm a believer in as few always on boxes as possible). I already had a nettop acting as a media box, but wanted to build something that would handle:

• Gateway for the external network connection
  • Routing to internal ethernet
  • 2.4GHz wifi router
  • 5GHz wifi router
• Printer server
• House NAS
  • Backup server (syncing externally as well)
  • DLNA server
• mpd server
• ATSC based PVR

Probably in that order if it turns out I'm asking too much. The intention is the box is the only one that always needs to be on, so I wanted it to be low power consumption. I also wanted the option of hooking it up to the TV if it turned out to have enough grunt, so the case needed to be something suitable for the living room.

I like Intel's approach to graphics drivers, in particular the existence of Free video acceleration support, so I went with an Intel Core i3-3220T as the processor. It's a 35W Ivybridge processor with HD 2500 graphics, plus I got it for a decent price.

For the case I chose a CFI A2059. There's a local supplier I was able to pick it up from, it has a couple of large fans which helps keeps the noise down while keeping things cool and as I was aiming for backup / file sharing being more important than a media box the 2 hot swap bays tipped the balance away from an AV style case.

The small case limits the motherboard options. I wanted twin GigE ports so the external was entirely separate from the internal (my switch does VLANs so I could have made do with a single port, but with a 200Mb/s connection I didn't really want to share the port). The Gigabyte GA-H77N-WIFI seemed to fit the bill, with the added advantage of a built in WiFi card (an Intel 2230 in a mini PCI-E slot) which leaves the PCI-E slot free for either a TV tuner or a second WiFi card to cover 5GHz.

I maxed out the board with 2 8G G.SKILL DDR3-1600 DIMMs. I normally go Crucial because I've found them reliable, but these were slightly cheaper and available from the same place as the motherboard.

Finally I added a Seagate ST4000DM000 for storage. It actually came from a Backup Plus that Costco were selling for about $20 less than the bare drive sells for. The plan is to add at least another 1T drive to RAID1 the most important bits (or possibly a 2T - it depends which of my existing drives I can tidy stuff off most easily).

Of course it's running Debian and I took the opportunity to try out the RC1 Wheezy image. For extra giggles I did an EFI install; this all worked fine except I didn't end up with grub-efi installed at the end, instead I had grub-pc. I booted with legacy BIOS enabled and followed Tanguy's switch to UEFI boot instructions.

Further notes on software setup to follow...

(This is something I did a few months ago, and I really should have noted down all the details then so I covered everything. However hopefully these notes will remind me enough next time.)

When I first wanted to reverse engineer a USB device that only had Windows drivers the "easy" option was to take a Windows machine, install usbsnoop on it and capture the traffic as a bunch of verbose text files. It was a cumbersome procedure.

Recently I wanted to do a firmware upgrade of a ZTE 3G modem dongle, partly to provider unlock it and partly to try and enable some voice functionality. I was also hoping to sniff the traffic to see how to drive the voice side of things. These days I don't have a dedicated Windows box, but I do have a Windows 7 KVM virtual machine. I hadn't yet used the USB support in this, but I thought I'd see what it was capable of.

Firstly I had to explicitly enable USB2 - the device wasn't happy with the default USB1 only stack that KVM enabled. That involved passing -usb -device usb-ehci,id=ehci to KVM. I also told KVM to grab all the ZTE devices with -device usb-host,bus=ehci.0,vendorid=0x19d2. I dropped a udev rules file into /etc/udev/rules.d to ensure any device nodes created belonged to my normal user.

This gave me a Windows setup that could see the USB dongle and install the appropriate drivers. It was also happy to do the firmware update (along with various device resets on the way as it changed USB ID - this is why I needed the udev rule, to ensure every time the device re-appeared it would be seen by the KVM instance without manual intervention).

After that was complete I investigated usbmon. modprobe usbmon created the appropriate /dev/usbmon<n> files and I chowned the appropriate bus to my normal user. Once this was done I was able to start Wireshark which rather nicely has full USB decoding support. Firing up the custom app in the Windows KVM guest I could see the traffic going back and forth to each of the device endpoints and work out what was going on.

All of this was much more flexible than using a standalone Windows box. Once I figured out that I needed to explicitly enable USB2 I was quite pleased with how simple USB access under KVM was. I also used lvm to create a snapshot of the Windows guest so at the end I could roll back all of the drivers I'd installed for the dongle. And being able to use Wireshark instead of trawling through dense text files helped a lot in seeing the command stream.

The SPI 2012 board election voting opened up on Sunday and is open until the end of Saturday 28th July. My 3 year term has come to an end, so I'm standing for re-election. Michael Schultheiss (our current treasurer) is also standing again. There are also 2 new candidates in the shape of Gregers Petersen and Selena Deckelmann.

My nomination statement doesn't have anything earth shattering in it. I'm largely of the opinion that SPI itself should be a boring organization, dealing with the common admin tasks of its associated projects and letting them get on with the job of changing the world. There are some challenges about how we scale larger that I'd like to see solved, but on the whole I see my role as a board member as being one of ensuring that SPI continues to function in a sensible fashion, rather than one of engaging in altering it in any serious fashion.

If you're an SPI contributing member please vote - obviously I'd like you to vote for me if you think I've done a decent job over the past 3 years, but even if you don't I'd still like you to take the time to be involved and vote.

I generated 0x94FA372B2DA8B985 (my 4096R GPG key) back in 2008, and revoked my old 1024R v3 key around the same time. However I left my main 1024D key alone, figuring I'd get round to revoking it at some point once the new one was sufficiently trusted. This probably happened some time ago, so today I have finally revoked this key:

pub   1024D/0xF1BD4BE45B430367 1999-10-26 [revoked: 2012-07-13]
uid                            Jonathan McDowell <noodles@earth.li>

If you're not in the habit of refreshing your GPG keyring regularly now might be a good time to (gpg --refresh-keys) or at the very least pull my updated key (gpg --recv-key 0xF1BD4BE45B430367) to make sure you don't accidentally continue to use it.

(If I haven't signed your key with my stronger one please do wave a fingerprint/ID at me next time we meet, and ask me for the same in return.)

I'm at DebConf 12 and I've decided to use my time to clear out some minor bits and pieces I've been planning for a while. One of these was to do some graphing of the Debian keyrings over time. The bzr repository goes back to March 2008, but I've also got copies of keyrings for releases back to slink (February 1999). I've been a long time user of GD::Graph under Perl, but recently discovered SVG::TT::Graph and have been meaning to play with it. So I did. First up, number of keys in each keyring:

Most of the interesting data is towards the right, but we can also see the point where our v4 keyring overtook v3 keys back in 2001. More recently there's the end of our v3 support in 2010, and the steady increase of Debian Maintainers. The tiny green line is the Debian non-upload keyring.

Next I looked at key size (limiting myself to the DDv4 keyring to make things simpler):

Here we can see the steady increase of 4096 bit keys since 2009, and to a lesser extent 2048 bit keys. There are a few other sizes - 1 10k key, 1 8k key and 2 3k keys (I suspect these are tied to OpenPGPv2 cards). We're up to 28% of the keyring being stronger keys, but there's still a long way to go. (Interestingly the Debian Maintainer keyring is much better with 65% of keys being 2k or larger. The non-upload keyring is all 2k or greater.)

Finally I graphed key type, again limiting myself to the DDv4 keyring:

No real surprises here; DSA far and away the most common with RSA usage increasing as part of the move to larger key sizes. In the past we had a few Elgamal signing keys, but these were shown to be compromised thus disappeared entirely.

What do these graphs show me? At least the following:

• Debian has a steady rate of growth, for both DDs and DMs. As Zack mentioned in his keynote yesterday it would be nice to see more non-packaging contributors.
• We've made a noticeable effort towards transitioning to stronger keys, but there's still a lot of people who need to make the switch.
• Our rate of growth has slowed over the years (not really surprising).

(You should be able to click on the graphs for larger version.)

Multiarch has been coming RSN for an extremely lengthy meaning of the word "soon". I remember watching Tollef give a presentation about it at DebConf4 and I'm pretty sure it's been talked about at every DebConf since then as well. Deemed the "correct" answer to the issue of running i386 binaries on x86_64 machines, or old ARM ABI programs on more modern hardware, it's always seemed to be at least another Debian release away.

Not so anymore. Through foolishness I ended up buying a Brother HL3040CN when I first moved to the US. It was a cheap networked laser printer and it touted Linux support. Quality wise it's been fine. I don't use it a lot, but unlike an inkjet I don't have to worry about not using it for a month and then needing to print something in a hurry and having to clean print heads etc. Where it falls down is that I failed to check that "Linux support" involved source. No. Instead it involves an i386 binary (at least packaged as a .deb, but in a horrible fashion). Up until now I've mostly been printing from my laptop, so all the drivers are installed there. I've got some guests this week and they needed to print their boarding passes, so I decided it was time to make the house server act as a print server too. It's an AMD64 box and before now I haven't had any need to run i386 code on it, so when I installed the driver deb it failed to work. Normally I'd just install ia32-libs, but this time I decided to try multiarch. So I did:

# dpkg --add-architecture i386
# apt-get update
# apt-get install libc6:i386

and magically I was now able to run the printer driver binary. I know there's a lot more work still to be done (I need to check if I can ditch ia32-libs on my laptop which runs a few more i386 only apps), but this is pretty cool - thanks to all those involved in making it happen!

Update: I tried to install all the multiarch bits required for Skype on my laptop but hit an issue with libqtgui4:i386 which ends up pulling in liblcms1:i386 which isn't yet multiarch enabled. There was already a bug, #637732 filed by vorlon, and mhy did the appropriate NMU a week ago, so it should hopefully hit testing in the next week. Thanks guys.

Back in November I ranted about the migration of Gnome Shell to Debian/Testing. Plenty of other people did the same thing (or have done the same thing about Unity).

I'd just like to say sorry to any of the GNOME people who felt unappreciated; I know you work hard to try and produce a useful user experience out of the box. I ended up doing the dist-upgrade on my work laptop only a week or so after my home machine, and in the process discovered that the nouveau Mesa driver now supports my machine pretty well. It's taken me a while to get used to it, but my frustrations with the change have diminished and I haven't felt the need to move to something different. So, a belated thanks for all your hard work.

Back in 2004 when Simon and I went full time with Black Cat one of the first things I did was sort out an ADSL offering, including native IPv6. We were one of the first UK ISPs to offer this (possibly the first; I know A&A had been doing tunneled IPv6 for a lot longer, but I'm not sure exactly when they enabled IPv6 on the PPP session. Also Bogons were fairly quick to enable it as well). By the middle of 2004 I was fully IPv6 enabled; my colo box had a native connection, my entire home network (a /64 for the wired, a /64 for the wireless) was configured, BCN had multiple native IPv6 connections to other ISPs (such as peering over LoNAP). By and large it just worked; I remember at one point looking at a traffic graph link from someone in Australia and them indicating surprise that I'd come in over v6. I hadn't noticed anything different than normal, which is exactly how it should be.

When we sold BCN in 2007 unfortunately one of the casualties was the v6 support. The ISP that took over the ADSL wasn't setup to be able to continue the v6 support, nor were RapidSwitch, who took over most of the hosting (I note with sadness that RapidSwitch still don't seem to be offering v6, though they keep saying it's a work in progress). So I stopped having any v6 for some time, refusing to slum it with a tunnel.

This changed at the start of last year, when I sought out new hosting for the. I ended up selecting Bytemark, partly because I knew of their commitment to v6. I'd chosen Sonic as my US access ISP, again partly because they offered an IPv6 tunnel service (while not as nice as native v6 over the DSL I felt that a tunnel provided by the DSL ISP was acceptable for access). However a combination of not having a machine that was always on at home, and a dynamic IP on my connection, meant that I never got round to configuring anything permanent up.

Recently I got around to buying a little low powered box to be always-on and this week I finally looked at configuring it up as the tunnel endpoint, planning to do some sort of screen scraping of the web interface to automatically update the tunnel broker information for the rare occurrences when my IP changes. The first nice surprise was that Sonic are now doing static IPs for free (previously you could only have a block of 8 for $20/month extra). That makes things a lot easier. So tonight I configured up the little server as the tunnel endpoint, installing radvd and some basic v6 firewalling. As expected my laptop sees the RAs, automatically configures everything up and my ssh sessions start to go over IPv6 instead. Looks like my phone also does the same. I'm not entirely sure what the NAT on the ADSL router is doing and if inbound connections will fail if there's nothing outbound holding the translation entry active, but I'm sure I can work around that if it turns out to be a problem. I care more about access than hosting anything on the end of my DSL anyway.

This means I'm finally almost back to where I was nearly 8 years ago, just in time for World IPv6 Launch day.

I've been spending a lot more time recently in meetings. Mostly things I should actually be at. And in general if it's something I think is reasonable I'll try to be there. In an effort to help with this I actually keep my work calendar up to date. Given that I'm running Linux on my laptop and the corporate standard is Exchange this requires a little bit of effort on my part (the Thunderbird Provider for Microsoft Exchange and Android support for talking to Exchange are helpful with this).

Sometimes it seems like I shouldn't bother. I spent this week at a conference, and marked my calendar to indicate I was out of the office. I think I had at least 3 meeting requests, all for things that would actually have been appropriate for me to go to. Last week I managed to be booked for 7 hours of meetings from 7am until noon. That included a 30 minute window where I was triple booked.

The thing is, I'm really not that busy in terms of meetings - you can usually find a spot when I'm free on any given day unless I'm actually not in the office. If you bother to check my calendar, that is.

Another problem I have is the times people like to book meetings at. Booking a technical meeting at 9am isn't going to get me at my best. Equally doing so at 5pm is likely to have me clock watching to make sure I don't miss my bus and/or train. Also I seem to work with far too many people who don't eat lunch and book hour long meetings at midday or 1pm.

I understand sometimes that's the only time you can get everyone into a room together, but at least bloody ask and explain the need rather than just sending out a meeting invite.

Finally, book meetings of a realistic length. There are some people who invite me to things and cause me to add another 30 minutes on the end, because I know it always overruns.

It's not all bad. I have a VP who always runs a meeting to time, and never seems to call one for spurious reasons. I've also worked with a program manager who will organize the meeting so that if you're only there for one point on the agenda that'll get dealt with near the beginning so it doesn't take up more of your time that it needs to. Funnily enough I'm much more likely to go to things both of these people arrange.

Disclaimer: In the unlikely event anyone I work with who invites me to meetings is reading this, I might be talking about you, but everything I mention has been done by more than one person, so I'm not thinking about anyone in particular for each point.