Je crois que l'année dernière j'avais même pas fait de post, tellement on était allés voir peu de choses. Cette année, on s'en est plutôt pas trop mal tirés. Surtout vers la fin, grâce aux contributions très appréciées de nos baby-sitters. Alors c'est sur que ça n'a rien à voir avec la grande époque, mais tout de même.

Sans attendre, donc, le cru 2012 :

• The Artist : 2 mars 2012, MK2 Gambetta
• My week with Marylin: 21 avril 2012, MK2 Quai de Loire
• The Avengers : 7 mai 2012, UGC Ciné Cité les Halles
• Moonrise Kingdom : 18 mai 2012, UGC Ciné Cité les Halles
• La part des anges : 3 juillet 2012, UGC Ciné cité les Halles
• À perdre la raison : 7 septembre 2012, MK2 Quai de Seine
• Starbuck : 9 septembre 2012,  Gaumont Rennes
• The We and the I, 2 octobre  2012, UGC Ciné Cité Les Halles
• Skyfall: 1er novembre 2012, UGC Ciné Cité Les Halles
• Une nouvelle chance : 27 novembre 2012, UGC Ciné Cité Les Halles
• Argo : 6 décembre 2012, UGC Ciné Cité Les Halles

Onze films, ça reste un peu léger pour rentabiliser une carte UGC/MK2 illimité, mais bon. On notera une quasi complète disparition du MK2, remplacé en grande partie par l'UGC des Halles. Il faut dire que c'est direct en métro. Dans l'ensemble, à part À perdre la raison, j'ai pas eu de mauvaise surprise, je crois que j'ai vraiment tout aimé. Une mention particulière pour The We and the I, je crois.

 

Aujourd'hui les jours rallongent \o/

Bonne fête Delphine !

After some feedback from other people, I have an important update to make on my last post. As I said, what decided me to eventually buy an OpenPGP smartcard was that it supported 4096 bit keys, so it would fit my 4096R/71EF0BA8 key.

In the end, it seems it's a little more complicated than that. 4096R keys are indeed supported, as far as signing and authentication are concerned. But encryption keys seem limited to 3072 bits (or maybe more, I didn't test toroughly). When trying to decrypt some stuff encrypted for a 4096R key on the smartcard, gpg fails with some “general error”. It has already been reported here, but no news since.

In my case, it's not that bad, I decided to go for 2048R for all subkeys. But if you desperately need 4096 bit encryption key, OpenPGPv2 smartcards might not be the right solution for you. I have no idea if the problem lies in GnuPG or in the smartcard, and I can't really find much information on this.

A friend of mine recently reminded me of the OpenPGP smartcard v2, and told me that it was perfectly able to handle 4096 bit RSA keys (provided you have GnuPG v2.0.18+). I had the opportunity to play with one a little, and notice it was super easy to use it for ssh authentication, especially since I already use gpg-agent as my ssh-agent (it should be easy to use a purely software authentication key as ssh key with GnuPG 2.1). So I decided to buy two of them and try to switch my main key (0x71ef0ba8) to it.

The cards arrived this weekend, and I was able to play with it a little. I didn't log every command I typed, but it was pretty easy, in the end. What I decided to do was to use one smartcard for every day usage, and one only for key signing. So basically, I would generate three (signing, encryption, authentication) subkeys, put them on smartcard 1, then put the primary key on smartcard 2. Then erase the private parts, and only keep them on smartcards.

In case it interests people, here the somehow detailed steps. Note that everywhere 'gpg' means 'gpg2' on Debian, we really need GnuPG v2 for correct smartcard handling. You'd better use gpg-agent too, although it doesn't seem mandatory.

1. make a backup! As we're gonna play with private parts (!), it's always a good idea to have backups. And it'll be useful to have one later, in case there's a problem with the smartcards. You can do a copy of your complete ~/.gnupg folder, but I simply did:

   corsac@scapa: umask 066
   corsac@scapa: gpg -o 71ef0ba8.gpg --export-secret-keys 71ef0ba8
   

2. Add three subkeys. Skip this is you already have subkeys (you usually already have an encryption subkey, but I wanted to switch to a new one too) --expert is needed in order to chose capabilities.

   corsac@scapa: gpg --expert --edit-key 71ef0ba8
   gpg> addkey
   Please select what kind of key you want:
      (3) DSA (sign only)
      (4) RSA (sign only)
      (5) Elgamal (encrypt only)
      (6) RSA (encrypt only)
      (7) DSA (set your own capabilities)
      (8) RSA (set your own capabilities)
   Your selection? 8
   
   Possible actions for a RSA key: Sign Encrypt Authenticate 
   Current allowed actions: Sign Encrypt 
   
      (S) Toggle the sign capability
      (E) Toggle the encrypt capability
      (A) Toggle the authenticate capability
      (Q) Finished
   
   Your selection? e
   
   Possible actions for a RSA key: Sign Encrypt Authenticate 
   Current allowed actions: Sign 
   
      (S) Toggle the sign capability
      (E) Toggle the encrypt capability
      (A) Toggle the authenticate capability
      (Q) Finished
   
   Your selection? Q
   RSA keys may be between 1024 and 4096 bits long.
   What keysize do you want? (2048) 
   Requested keysize is 2048 bits
   Please specify how long the key should be valid.
            0 = key does not expire
           = key expires in n days
         w = key expires in n weeks
         m = key expires in n months
         y = key expires in n years
   Key is valid for? (0) 1y
   Key expires at dim. 27 oct. 2013 20:38:44 CET
   Is this correct? (y/N) y
   Really create? (y/N) y
   We need to generate a lot of random bytes. It is a good idea to perform
   some other action (type on the keyboard, move the mouse, utilize the
   disks) during the prime generation; this gives the random number
   generator a better chance to gain enough entropy.
   

   Repeat this for encryption and authentication subkeys. Then save and send the key to keyservers

   gpg> save
   corsac@scapa: gpg --send-keys 71ef0ba8
   

3. Next, we'll switch to the smartcard part. I use a Gemalto PC ExpressCard reader which is perfectly recognized under Debian. You just need few tools:

   root@scapa: ~# apt-get install pcscd scdaemon
   

   Plug the reader, insert the card, make sure it's detected:

   corsac@scapa: gpg --card-status
   Application ID ...: D2760001240102000005000016A10000
   Version ..........: 2.0
   Manufacturer .....: ZeitControl
   ...
   

   You can edit various parameter (name etc.) and change the PINs using gpg:

   corsac@scapa: gpg --change-pin
   corsac@scapa: gpg --card-edit
   

4. Then we'll put the subkeys in the first smartcard. It might be a good idea to export again the private keys for backups.

   corsac@scapa: gpg -o 71ef0ba8.gpg --export-secret-keys 71ef0ba8
   

5. We'll now use the keytocard gpg command to move the private parts on the smartcard:

   corsac@scapa: gpg --edit-key 71ef0ba8
   gpg> key 1 # select encryption subkey
   gpg> keytocard
   gpg> key 2 # select signature subkey
   gpg> keytocard
   gpg> key 3 # select authentication subkey
   gpg> keytocard
   gpg> save
   

   A quick check on the card now reveals that it's populated:

   corsac@scapa: gpg --card-status
   Application ID ...: D2760001240102000005000016A10000
   Version ..........: 2.0
   Manufacturer .....: ZeitControl
   Serial number ....: 000016A1
   Name of cardholder: Yves-Alexis Perez
   Language prefs ...: fr
   Sex ..............: unspecified
   URL of public key : http://www.corsac.net/71ef0ba8.asc
   Login data .......: corsac
   Signature PIN ....: forced
   Key attributes ...: 2048R 2048R 2048R
   Max. PIN lengths .: 32 32 32
   PIN retry counter : 3 3 3
   Signature counter : 7
   Signature key ....: 9745 B022 7323 81FE 9E7E  AFF5 6DDB 53F2 A675 C0A5
         created ....: 2012-10-27 11:24:07
   Encryption key....: F7E0 078F EA1A 5F23 92E0  20B3 A83A D136 D98D 0D9F
         created ....: 2012-10-27 11:27:01
   Authentication key: 8CFD D478 AB4A 16F8 F0EC  CD33 24E2 3B5C CC0E 273D
         created ....: 2012-10-17 14:29:18
   General key info..: pub  2048R/A675C0A5 2012-10-27 Yves-Alexis Perez 
   sec>  4096R/71EF0BA8  created: 2009-05-06  expires: never     
                         card-no: 0005 000016A2
   ssb   4096g/36E31BD8  created: 2009-05-06  expires: never     
   ssb>  2048R/CC0E273D  created: 2012-10-17  expires: 2013-10-27
                         card-no: 0005 000016A1
   ssb>  2048R/A675C0A5  created: 2012-10-27  expires: 2013-10-27
                         card-no: 0005 000016A1
   ssb>  2048R/D98D0D9F  created: 2012-10-27  expires: 2013-10-27
                         card-no: 0005 000016A1
   

6. At that point, the private part is replaced by a stub in the secret keyring, so when you export them, you only export stubs which you can then use anywhere without actually giving your private key. So now is a good idea to export the subkeys so you can import them on other boxes:

   corsac@scapa: gpg -o 71ef0ba8-subkeys.gpg --export-secret-subkeys 71ef0ba8
   

   Note that only the subkeys private parts have been moved to the card, not the primary one, so you're still able to sign keys. Here, you have multiple choices. You can simply erase the private key (and later re-import the stubs) and use the offline copy made above when you need to sign another key.

7. What I did is something else. I've put the primary key on my second OpenPGP smartcard. That way, I won't lose it, it'll be kept safely in my house, but still be on a hardware token where it won't come out.

   The procedure for doing is so is exactly the same as above. First take a backup (in case you didn't do it first, do it now since after the keytocard command you won't have a backup of your primary key and there'll be no way to extract it from the smartcard. Then put the new smartcard in the reader, edit the key (don't select a subkey) and run the keytocard command.

   After that, running gpg --export-secret-keys will export the stub and not the private part of your primary key.

In the end, it seems that everything is running fine. Only issue is that scdaemon is sometime not behaving nicely (especially after a card change or or suspend/resume cycle). I didn't yet report a bug but you might want to kill it in case it's stuck.

You can also use the authentication subkey for ssh logins. When the card is inserted, the authentication subkey appears automatically (through the magic of gpg-agent):

corsac@scapa: ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EA... cardno:0005000016A1

And now you can add it to your various authorized_keys and use the smartcard for SSH.

Ce soir, en prenant le métro pour rentrer à la maison, je suis tombé là dessus, qui trainait par terre :

Pour les moins parisiens ou les plus jeunes d'entre nous, c'est un ticket de métro parisien d'il y a pfiou, des années. C'est le premier que j'ai connu, et j'ai fait un paquet d'accordéons en ticket de métros avec ceux là (je sais pas si maman a osé jeter ceux que je lui avais offerts). Apparemment il a été en production de 1976 à 1992.

Le plus étonnant dans l'histoire, c'est qu'il a visiblement été composté hier, ce qui veut dire qu'il a été conservé dans de bonnes conditions et qu'il était encore correctement magnétisé.

Ça m'a filé un sacré coup de nostalgie, n'empêche.

It's been six months since Xfce 4.10 has been released. And it's been four months since Wheezy is frozen. Due to this timing (and the fact Squeeze has 4.6 and doing a 4.6 → 4.10 upgrade needed some tuning in various packages), it was decided to not try to push 4.10 into Wheezy that late in the release cycle.

So Xfce 4.10 was uploaded to experimental instead, and as it needs a full rebuild of all panel plugins against 4.10 panel (another reason for not trying to push it to Wheezy), those have not been uploaded. You can try Xfce 4.10 using experimental, but you'll need to remove the xfce4-goodies metapackage and the various depending plugin (since they'll just crash if you try to load them on 4.10 panel).

Multiple people asked me (either on IRC, by private or public mail) when 4.10 will be uploaded to unstable and transition to testing. Like last time, the answer is : not before Wheezy is released. Right now, we're more interested in stabilizing Wheezy and squashing the bugs there than adding new ones in unstable.

So, if you want to have Xfce 4.10 in Debian sid/testing sooner, then the easiest and fastest way is to fix some release critical bugs so we can release sooner, and then start breaking sid by uploading a whole lot of new stuff there.

Note that this is true also for other software like GNOME, KDE stack (I have no idea how to call it these days), the Linux kernel, strongswan or whatever.

About development releases of Xfce 4.11 (like the recently released exo 0.9 and Thunar 1.5), well, since we already use experimental for 4.10, there's not much chance they get uploaded anytime soon. We could try to package them and let people build it themselves, or I could host it somewhere on my server for people to try. But as I already said, we're more interested in fixing bug in Wheezy right now, and people interested in finding bugs in Xfce development releases (so they are fixed for the final one) should build it themselves and report everything they find on the Xfce bugzilla.

TL;DR: if you care about new, shiny stuff, please help fixing RC bugs in Wheezy.

Tout le monde ne le sait peut être pas, mais mon prénom c'est Yves-Alexis.

Beaucoup de gens m'appellent autrement, pour plein de raisons. Les gens qui me connaissent bien m'appellent Yves-Alex (surtout la famille) ou Yap, parce que c'est plus court. Les gens qui me connaissent moins m'appellent Pierre-Alexis, ou Pierre-Yves, ou encore autre chose, en général parce qu'ils sont incapables de se rappeler un prénom de plus de trois syllabes, parce que c'est trop original, parce que les prénoms composés c'est compliqué.

Beaucoup de gens ne font tout simplement pas l'effort de le retenir en fait. Personne ne fait vraiment exprès de se tromper, ou de ne pas m'appeler par mon prénom. C'est juste que ça ne leur viendrait pas à l'esprit que ça puisse me gêner. Je pense même que certains trouvent même ça plutôt galère, et m'en veulent de m'appeler comme ça (non pas que j'y sois pour quelque chose, moi :). Les gens dont personne n'écorche le prénom ne se rendent sans doute pas compte que ça puisse déranger, qu'à terme, c'est pesant. J'ai parfois envie d'ignorer ceux qui se trompent, de raccrocher aux gens en leur disant qu'ils se sont trompé de numéro. C'est difficile à faire parce que, effectivement, ils ne pensent pas à mal, ils ne le font pas exprès. Ils n'y font juste pas attention.

Au final, très peu de personnes m'appellent par mon prénom complet. Ça ne me dérange pas d'être appelé par des surnoms ou des diminutifs, dans l'ensemble. En tout cas moins que par un autre prénom que le mien.

Je me demande si tous les gens avec des prénoms un peu compliqués, ou originaux, ou étrangers, ou composés, ressentent ce genre de chose. J'ai fait avec pendant très longtemps (ça ne date pas vraiment d'hier, les profs n'y arrivaient déjà pas au primaire).

Mais, ces temps ci, ma fille commence à m'appeler Yap. Et ça, j'avoue, j'ai du mal, un peu. Qu'elle connaisse le surnom, qu'elle sache qui il désigne, voire qu'elle s'amuse avec (sa cousine connaît les prénoms et les diminutifs de ses parents, après tout), très bien. Mais si elle m'appelle autrement que papa j'aimerais bien que ce soit par mon prénom… (à l'occasion si on se croise, ça peut être bien d'éviter Yap en sa présence, vu que ça marche quand même pas mal par l'exemple).

Allez-y, vraiment. Bon évidemment si vous avez détesté Darjeeling ltd. ou The Royal Tenebaums vous pouvez passer votre chemin, mais je sais pas s'il y a beaucoup de monde dans ce cas là.

Si vous aimez l'univers de Wes Anderson, franchement allez-y, c'est que du bon. Y'a pas un détail qui manque, la réalisation est géniale, la bande son parfaite, les acteurs excellents, c'est un film qui vous donne envie de sourire comme un niais (et de faire des posts à l'avenant). Pour paraphraser Gad, c'est un peu un film « qui vous transforme en Faudel ».

Je suis pas sur que le message atteigne beaucoup de gens, mais au cas où… Si vous essayez de me joindre par téléphone et que vous tombez sur un message de votre opérateur vous disant que le numéro n'est plus attribué, c'est « normal ». Orange a arrêté mon abonnement hier à 15h et je n'ai pas encore reçu ma carte SIM Free Mobile… Les choses devraient s'arranger bientôt, mais je risque d'être encore un peu off the grid aujourd'hui.

 

 

Our Dear Project Leader, Stefano Zacchiroli, regularly mentions the fact that there's an amount of Debian money available for hardware sponsoring of Debian developers, but it seems that not much people benefit from it.

Each time I saw one of this reminder, I wonder if I should apply, and the anser is usually no. The fact is that I don't think any new laptop or desktop to do my Debian stuff, and the last time I bought a box (my x201s last summer) it was not really specifically for Debian tasks so I didn't dare to ask (not to mention the fact I bought it because I did have the money to do so).

And I think this is mostly the problem. I might be wrong, but I think that most people which could benefit from this just don't dare asking or don't estimate themselves eligible for it.

When I saw Ben Hutchings post, where the first thing he says is about how hardware is expensive, I thought « hey, he should get some Debian money for buying new hardware: building kernel is really time consuming and having multiple powerful cores, more ram and fast disks/SSDs really helps ». Turns out that Ben just didn't really want to spend too much money there, but the case still stands. We also see from time to time people saying they'll be offline for a while because of broken laptop or something like that. Once again, maybe those people wouldn't mind some help from the Debian project, and maybe they just don't think about asking, or they don't dare.

So thinking about it a bit more, I think I wouldn't dare asking money for myself, but maybe I could dare asking money for other people (this is a bit like the flattr posts by Raphaël Hertzog, where he incited people to give money to projects he liked). If I'm not alone in this case, maybe those Debian developers who think some of their peers would benefit some hardware could drop them a mail with leader@ on copy, to propose just that. No need for huge publicity on that (in order to not embarass people), though the transparency rules still apply when it comes to Debian money.

Tout est dit :

Aujourd'hui les jours rallongent \o/

En regardant rapidement les concerts à venir sur le site de la FNAC, je me suis rendu compte d'un truc marrant. En 2012, (re)monteront sur scène, en France :

• Black Sabbath
• Deep Purple
• Jethro Tull (enfin Ian Anderson)

Je suis pas le dernier a adorer les groupes des seventies, m'enfin quand même là, faut pas abuser. Ritchie Blackmore ça fait trente ans qu'il joue du folk-rock médiéval, je sais pas trop ce que ça va donner sur Smoke on the water quoi.

Bonne fête Delphine !

C'est peut être parce que cette année Noémie est avec nous (depuis plus de 72h), ou peut être parce que les américains sont revenus et que pour eux Halloween c'était signe de balade dans les rues pour voir la gay pride déguisée en zombies. Peut être parce que cette année (hormis Eurodisney et le parc Astérix) y'a pas eu de battage médiatique autour de ça.

Cette année j'ai bien aimé Halloween. On a croisé un zombie ou deux dans la rue, qui avaient en dessous de diz ans, et on a même eu trois petits monstres qui sont venus sonner à la porte en fin d'après-midi pour avoir des bonbons ! Bon par contre on n'était absolument pas préparés, du coup on n'avait que des bonbons au coquelicot du mariage à leur offrir, mais on leur a pas dit, c'était rouge, ça s'est pas vu, par contre ils auront peut être une surprise en les goûtant, ils essayeront de deviner ce que c'était, et pis comme ils étaient moyennement déguisé ça leur apprendra.

À petite dose, ça me va (et le doodle du jour était mignon, si je puis dire. (ils ont vraiment d'énormes citrouilles là bas).

I received recently a mail about my attempt to provide Grsecurity kernels in Debian. The sender found the bug by accident, and asked me why I didn't do some more publicity here. So here we are.

I won't go into details on what grsecurity is, it's fairly complex. But it's basically a hardening patch for the Linux kernel, with three main components:

• the PaX patch, which purpose is to harden the memory layout of the Linux kernel and improve existing options: enforcing of non-executable memory pages (userland and in kernel), W^X (no page marked as writable and executable), ASLR, prevention of invalid userland pointers dereference, copies between userland and kernel memory…
• RBAC (Role Based Access Control), an implementation of Mandatory Access Control
• various hardening features: /proc restrictions, chroot restrictions, kernel symbols hiding etc.

A lot of this touches low level stuff in the kernel, especially memory management. Ideally this patch would be pushed upstream, but Brad Spengler (grsecurity main developper) already said he wasn't interested in upstreaming it and upstream already said the patch was too huge and invasive to include it like that (especially since the original authors aren't interested in maintaining it upstream). There's an ongoing effort to split the patch and merge things little by little, but in the meanwhile having a mid-term solution would be nice.

I know Debian users rebuilding grsecurity-patched kernels themselves, and I know some of them would appreciate having them included in the Debian kernel. Fortunately, the linux-2.6 source package has a nice feature which is called featureset. Basically it's a way to build some (binary) packages using a different set of patches and a different config. For example this was used to provide xen/openvz/vserver patchsets, and is now used to provide rt kernels.

So I though it'd be nice to provide a grsec featureset, and starting doing the work. I have a working setup for producing those kernels, so I've opened a wishlist bug against the kernel (#605090) to have this merged.

Those packages follow the sid kernel. There's an ongoing work for Squeeze, but it's a bit harder there because both the grsecurity patchset and the Debian kernel ship a whole lot of backports to the Linux kernel, meaning the grsecurity patch doesn't apply directly to the Debian source package. Basically I need to remove some of the hunks (since they are already applied to the source) and port some others (since there are some backported code not present in the vanilla 2.6.32, for example the drm code).

Until the patches are merged and the bug is closed, I host some of the built packages at:

deb http://molly.corsac.net/~corsac/debian/kernel-grsec/packages/ sid/

The repository is signed by my key which you can add to your apt setup using apt-key add. If you want to rebuild the packages yourself, here's the method:

mkdir kernel-grsec
cd kernel-grsec
svn checkout svn://svn.debian.org/svn/kernel/dists/sid/linux-2.6
git clone git://anonscm.debian.org/users/corsac/grsec-patches.git
wget http://www.kernel.org/pub/linux/kernel/v3.0/linux-3.0.tar.bz2
wget http://www.kernel.org/pub/linux/kernel/v3.0/linux-3.0.tar.bz2.sign
gpg --verify linux-3.0.tar.bz2
cd linux-2.6
apt-get build-dep linux-2.6
export QUILT_PATCHES=../grsec-patches
quilt push -a
python debian/bin/genorig.py ../linux-3.0.tar.bz2
debian/rules orig
fakeroot debian/rules source
fakeroot make -f debian/rules.gen binary-arch_amd64_grsec_amd64

You could also do dpkg-buildpackage, pdebuild or whatever. Kernel handbook is a nice reading too if you want more information on how to rebuild Debian kernels. The quilt push -a may fail if you checkout an svn version more recent than mine. I try to keep patches up to date but I usually have some delay.

Note that installing the kernel will require installing linux-grsec-base package. Binary is not yet available on my mirror but you can easily build it. Source can be found on git.debian.org.

If you're interested by this, don't hesitate to mail me or the bug.

The issue

This morning (while I was running late for an appointement) I had a very weird stuff happening on my Thinkpad T61 laptop. Since I recently offered myself a shiny Thinkpad x201s, I have to admit I don't use much my T61 anymore. But this morning I had to print a page (for this appointement) and, as I didn't yet configured my printer on the x201s, I went to the T61. But I noticed that the network was down. I've tried quickly on wireless but, bad luck, my current wifi setup selects the channel automatically and it prefers choosing channels which aren't available in the US. Guess what, my T61 comes from the US and has those channels completely disabled, so no wireless available either.

The investigation

I first tried to

modprobe -r e1000e
modprobe e1000e

to see if it fixed the problem, but it didn't. Worse, the interface disappeared and never reappeared. I tried to reboot but it didn't fix the problem, the link was still down. Running really late, I put the file on a usb key and printed it from the powerbook and postponed the fix for later.

Now, this evening, I tried to investigate a bit more. Symptoms weren't only that the nic wasn't working, but there was a high load on the system (1-2 at idle), unresponsiveness every second or so, and watching top I could see spikes of high cpu usage for the kworker kernel thread. Typing that on google you can find a lot of people running on this issue, usually starting around kernel 2.6.36 or 2.6.37. Now, I might have upgraded the kernel recently to 3.0.0-4, but that didn't look related since the problem first appeared when the laptop was up and running. And I tried to reboot under 2.6.39, 2.6.38 and even 2.6.32 and the problem was still present. Each time, unloading the module would fix the problem, but loading it again wouldn't make the interface reappear. People advised to boot with pcie_ports=compat but that didn't do anything. I tried to boot without intel_iommu=force (disable Intel Vt-d) and pcie_aspm (Active State Power Management) but nothing either.

Considering a userland issue, I've tried to boot a grml live distro (always keep a grml.iso in your /boot, extlinux-update will even put it in your menu automatically), and the problem was still present. So not a Debian kernel issue, not a userland issue, only thing left was the laptop. I didn't update the Bios recently, so I wondered exactly what could be the problem. I started to feel a little bad, since I still really like that laptop, and that I already decided to lend it to my sister since her own T61 is sitting with a dead system board in my shelf. I know she might have some negative waves, but she was not even landed when the problem first appear.

The fix

Then I had a flash. It's not mystery that I'm used to break network cards, and I had the bright idea to shutdown the laptop, disconnect AC and battery, then let it idle a bit. I even tried the secret Thinkpad power button code but I think it's unrelated. Then I re-plugged the battery, booted to grml and the issue was gone. I rebooted on the standard Debian and the link was up, network was working.

So what happenned?

The (tentative) explanation

My guess is that, somehow, the network card firmware has an issue and choked on something (a network frame or an attack exactly like the one we demonstrated on ASF firmware). In fact, no, I don't think it's the e1000e firmware. My T61 comes with Intel vPro, which includes AMT (Active Management Technology), a remote management solution a bit like ASF but more advanced. As far as I know, AMT firmware always runs, even when it's disabled, it's just completely idle. Idle, but in this case I think it choked on something, and a reboot isn't enough to restart the AMT firmware. But a real hard reset without any power seems to do the trick.

What next?

Well, a part of me is pretty scared, but another is just bored. I mean, we know about that, that's exactly the kind of issue we are warning people of. I have no idea what exactly happened, and there's no way I'll be able to reproduce that, but I'm pretty sure it's something lying at a pretty low level in the platform, and which can severely disable your workstation. Now if it happens again I won't lose too much time on this.

TL;DR: helping other people

In case you came here because you searched on google terms like “kworker cpu usage”, e1000e, interrupts, it might be a good idea to first reboot on a live CD to eliminate installation issues, then shutdown the laptop, remove the battery and let it few seconds idle. This might be enough to reset “something” inside and fix the situation.

Retour aux Riceys après le mariage. Non pas un voyage de noce (encore que) mais plutôt en week-end festif entre potes. Festif oui, mais studieux aussi.

Le constat de départ, c'est que Romaric & co possèdent quelques arpents de vignes (saviez vous qu'un arpent n'est en fait pas une unité de surface mais une unite de longueur ? il faudrait dire « quelques arpents carrés ») en Champagne, et que la saison des vendanges c'est à peu près maintenant.

Or, Romaric & co ça veut dire quelques paires de bras, mais beaucoup plus. Et même avec juste « quelques » arpents (carrés) de vignes, ça fait quand même un paquet de kilos de raisins (on se rend pas très bien compte, mais ça produit ces bêtes là, en fait). Et donc, qu'à eux tous, ils risquent de pas tout à fait s'en sortir avant l'hiver, ce qui ferait un peu tache.

Longue histoire courte (et autres anglicismes), ils avaient besoin d'un coup de main (et de plusieurs mêmes si possible) et comme on est gentils, qu'on aime bien Romaric (et le champagne) et que ça faisait l'occasion (et le larron) d'aller prendre l'air à la campagne.

C'est assez agréable, en dehors du côté air pur de la campagne, de se mettre un peu au travail physique, et faire travailler autre chose que son cerveau et ses doigts. Se vider la tête, travailler méthodiquement : se baisser, enlever les feuilles, repérer les grappes, trouver la tige, mettre sa main gauche dessous (pas derrière), donner un coup de sécateur (de vendangette), récupérer la grappe dans la main gauche, la déposer dans le seau, passer à la grappe suivante, puis au plan suivant, vider le seau de temps en temps dans une caisse, croquer dans une grappe à l'occasion histoire de reprendre un peu de sucre.

Je sais pas si au bout d'une semaine à faire ça 8h par jour j'en aurais pas un peu marre (sans doute que si) et si j'aurais pas mal au dos (étonnamment je n'ai pas eu du tout mal au dos, par contre j'ai eu mal au pied droit qui est resté plié tout le temps, on peut pas tout avoir). Mais là, trois demi-journées, c'était bien, c'était même un peu frustrant de partir avant la fin, de pas arriver au bout, de finir le travail et d'avoir la satisfaction d'en avoir terminé. L'année prochaine, si on remet ça, pas de doute, il faut :

• avoir des bottes avec soi (plutôt que les squatter) ;
• acheter une paire de gants genre gants à huitre anti-coupures, pour pas se découper les mains avec la vendangette ;
• prévoir trois jours, voire un peu plus pour profiter du avant/après et décharger un peu les organisateurs qui ont plein de trucs à gérer.

Évidemment, l'année prochaine on sait pas ce qu'on fera à cette période là et c'est encore un peu tôt pour commencer à tirer des plans sur la comète, mais c'est tout de même quelque chose qui m'a bien plu, un moment de partage, de repos mental, de plaisirs sains, de grand air. Pas tout à fait des vacances, mais pas loin quand même.

(avec ça, si Romaric nous rembauche pas l'année prochaine, je sais pas ce qu'il lui faut…)