1. I set the Hard Disk password in the BIOS. This is fairly impenetrable, (IBM certainly won't get it back for you), but it is probably circumventable by a talented data thief. Don't forget it!! [It also means that the laptop cannot boot up unattended.] I didn't set a BIOS password, since the HDD password is sufficient (and stronger than the BIOS password anyway). From the Linux-thinkpad mailing list:

   "[The Hard Disk password] is pretty secure. The protection is provided by the drive itself: one needs to disassemble the drive, separate the drive platters from its internal IDE controller and replace this controller to get to the data.
   
   One important thing to know about Thinkpads is that if you also set a poweron password in the BIOS, the harddrive password gets copied to an EPROM on the motherboard. As a consequence, not setting a poweron password and only a harddrive password decreases the risk of an attacker to get to the data."

2. Most systems (given an attacker with physical access) can be booted up, either using Knoppix, or by pressing Escape while Lilo is starting, and then typing linux single. So the login password alone is no protection at all! Even if CD-ROM boot is prevented by a BIOS password, and Lilo single-user boot is disabled, the Hard disk can still be read by placing it in another machine,
3. Encrypt: /home, since it contains my data.
4. Encrypt /var, since it contains all sorts of things: logs, slocate.db, postgres database...etc.
5. Encrypt swap, because anything could end up there (and in the clear). Swap is the easiest to encrypt, and most transparent, so I'd recommend to encrypt that, even if nothing else.
6. Not encrypted: / (the root directory), because it's all open source anyway! Furthermore, this is quite a complex operation, especially if trying to install there! And the performance hit would be most significant if the applications were encrypted. Yes, there is a little information which could leak out via /etc, but for me, this isn't important - besides which, my email address is written on the bottom of the laptop!
7. Not encrypted: /boot, because this would be impossible! [If worried about a trojaned kernel being installed here, boot only off a USB-key, and keep the key in your sight at all times!]
8. I decided to use losetup rather than dm-crypt, since losetup is more established, and at least partially supported by a (broken) Mandrake rc.sysinit script. dm-crypt might actually work OK with Mandriva 2006, but it certainly didn't when I originally set this up under 10.2.
9. Using losetup means that suspend-to-disk is dangerous, since the RAM will be in clear on the disk! But I only ever want suspend-to-RAM anyway. dm-crypt would allow cryptographic suspend-to-disk. Also, "newer versions of suspend2 also have native encryption support via the crypto-API of the Linux kernel." [But Mandriva doesn't seem to use suspend2.]
10. Firewire can be dangerous. IEEE1394 devices can, by design, snoop on the host's memory. This is useful for debugging, but can be considered harmful. The laptop has no inbuilt 1394 device, but a PCMCIA card would be helpfully hotplugged by Mandrake! So prevent the modules from loading.
11. The implication of the setup which I have chosen is that:
    • When the system is switched off, if someone tries to access the hard disk, we are protected by encryption.
    • When the system has booted up, all the encrypted partitions are mounted. We are now protected by the kernel, the login program, file permissions, and a strong password.
    • When the system is left running, but unattended, xscreensaver is used to lock the display. We now are protected by xscreensaver. (And sshd, if on a network)
12. Obviously, choose a strong password and passphrases. Also, there are some useful articles on data-hygiene published by The Register, on internet anonymity and data security.
13. Here are some other encryption resources which may be of interest. Note that losetup is older than dm-crypt.
    • Loopback AES Readme
    • Linux device-mapper cryptography (dm-crypt) and the dm-crypt wiki
    • How to encrypt the entire hard disk
    • Linux Journal article: Implementing Encrypted Home Directories (but slightly old, not referring to dm-crypt)
    • Disk and email encryption in Linux (covers Open PGP and Mandrake 9.1)
    • Encrypting the whole disk using Gentoo and losetup. (Not really relevant here)
    • Cryptoloop howto (Mounting an encrypted file instead of a partition)
    • EncFS (doing everything in userspace. Uses Fuse. Easier, but less efficient)
    • GPG: Encrypting file-at-a-time. (Useful for emails)
    • StegFS (plausible deniability by having multiple layers of encryption).
    • Other "attacks" include listening to the sound of the keyboard, listening to the sound of the CPU, and sampling diffuse visible light from the monitor.
    • Tom's Hardware intro (LUKS).
14. Other considerations:
    • Can the encrypted home partition be locked without unmounting it? Eg before invoking the screensaver, or suspending, somehow forget the key, without first having to close all the applications and unmount /home. I can't see why this shouldn't be possible, but it would appear to need a kernel modification.
    • Can we trust the login program? Yes, probably (provided the password is good enough). Thus, when the system is running, we are protected by the passwords. The encryption protects against someone with physical access to the machine, who can remove the hard disk (or use a bootable CD).
    • Can we trust xscreensaver to do the locking? Yes, probably, provided that the password is sufficiently strong, and that there are no root logins on the virtual consoles, which xscreensaver cannot protect. Xscreensaver uses PAM, so it is as good as login. Disabling Ctrl-Alt-Backspace would be a good idea. If there were some way to crash X (or xscreensaver) without logging out, this would leave /home exposed.
    • What about the daemons? Could sshd or apache compromise things? Make sure that permissions are not world-readable! What about ~/public_html? Obviously, we need to run a fully up-to-date system, with no known local-root exploits.
    • What about the risk of a dictionary attack on /etc/shadow? Obviously, I use a password which is not a dictionary word! But a really sophisticated attacker could perhaps surreptitiously "borrow" the unattended laptop, copy /etc, run some crack against /etc/shadow, return the laptop, wait for me to log in, then steal it. "A possible improvement is adapting your pam configuration to replace the standard unix authentication (pam_unix.so) with pam_ssh.so (use your ssh passphrase to log in) or pam_usb.so (use a usb-stick to log in)" But obviously, losing a usb-stick is very easily done!
    • Can we use PAM to automate any of this, to reduce the number of times the passphrase needs to by typed. Is there any reason why root password, my user password, and SSH passphrase should be different?
    • Can the SysRQ key do anything bad? It appears not, according to the documentation in /usr/src/linux-xxx/Documentation/sysrq.txt
    • We are still vulnerable to a brute-force attack with sufficient computing power; to theft of the laptop while unlocked; or to theft while locked, but powered on, and with sufficiently clever electronic probing of the motherboard (or via firewire).
    • Newer thinkpads, with 'biometric fingerprint sensors' should not rely on these. The sensors do not reliably discriminate between users, and are very easy to fool. Furthermore, one's fingerprints can easily be retrieved...from the laptop!
    • If any of this is wrong, please tell me!

1. The new Mandrake installer is very slick, and just works. "expert" mode has gone away. There is a very useful rescue mode on the first CD, in case you mess up the system.
2. It did prompt me to upgrade from 9.1, which would probably have worked fine. However, I decided to do a full reinstall, and re-partition.
3. Accept license. Read release notes. British English. UK keyboard.
4. Security=high (don't choose paranoid - you can make your system almost unusable!). Security admin = rjn (this is the person who gets the email from msec etc).
5. Mouse = any PS/2 or USB (the default).
6. Partitions. If you are not using encryption (or just encrypting swap), I would recommend something simple, eg:

   Partition	Size	Mount point	Filesystem
   hda1	7 GB	/	ReiserFS
   hda5	550 MB (slightly larger than RAM)	swap	swap
   hda6	1 GB	/spare	ReiserFS
   hda7	21 GB	/home	ReiserFS

   However, I decided that I wanted to encrypt /var, and hence the partition scheme is slightly more complex. Diskdrake has an "encryption" option, which doesn't work well. Don't use it - and install everything unencrypted for now. Thus:

   Partition	Size	Mount point	Filesystem
   hda1	200 MB	/boot	ReiserFS
   hda5	6.5 GB	/	ResierFS
   hda6	550 MB (slightly larger than RAM)	swap	swap
   hda7	1024 MB	/var	ReiserFS
   hda8	1024 MB	/spare	ReiserFS
   hda9	20 GB	/home	ReiserFS

7. Package Selection: it is usually easier to install a small system, then add urpmi sources, and select more packages once it is done. So I just accepted the default groups.
   NOTE: DO NOT install lm_sensors (it can destroy some thinkpads - see linux-thinkpad.org). Mandrake do not include it by default, and lm_sensors should now safely exit before damaging vulnerable machines, but it's worth making sure. This also means avoiding glms, ksensors, and not running sensors-detect.
8. Define a root password, a user (rjn) and password.
9. Put the Lilo bootloader on the MBR (Master Boot Record)
10. At "Summary", I went through all the config options:
    • Timezone -> London, Hardware Clock = GMT, Use NTP
    • Printers -> configure after install.
    • GUI -> Generic Flat Panel Display, 1600x1200, Rage 128 Mobility, Xorg 6.8.2 with hardware acceleration, 16 bit per pixel.
      Note: It is necessary to choose 16 bit/pixel and not 24 bpp in order to have hardware acceleration working. glxgears gives 787 FPS at 16 bit, but only 158 FPS at 24 bit.
    • Network -> LAN: set eth0 to DHCP. Do NOT assign host name from DHCP address. Do not set "DHCP hostname". Choose start at boot. Get DNS servers from DHCP. Hostname="toffee-pecan.baddiant.org.uk". Zeroconf hostname=blank. Note: Unlike earlier versions, 10.2 will background the DHCP request to allow boot to proceed faster. However, you can also set a timeout.
    • Firewall off all but SSH, and ping.
    • Bootloader -> 5 second delay. Clean /tmp at boot. No need to specify precise RAM size. ACPI is now supported, so allow it. (Previously, I used APM). Add "splash=verbose panic=60" to the bootloader options (respectively: make bootsplash verbose, so that the boot messages are visible; reboot after a kernel panic rather than hang.)
    • Services -> deactivated many of these. In particular, unless you need them, deactivate anything to do with NFS (netfs,nfslock,portmap) and Zeroconf (mdadm, mDNSResponder,nifd). Here is what I am running on my laptop. Note that some of these choices may not suit everyone. [I don't have a printer on the laptop, (no cups); I do web-development (postgresql,httpd), and I have internet connection sharing enabled for use when travelling (dhcpd,squid,named). ACPI is now supported, (although APM works too). I have no bluetooth hardware, and I never change the ultrabay. Irda causes crashes, and anacron causes the disk to thrash (rpmv,msec) for 20 minutes!]
      • These are running: alsa, acpi, acpid, atd, cpufreq, crond, dhcpd, dm, haldaemon, harddrake, hotplug, httpd, keytable, kheader, messagebus, named, network, ntpd, partmon, pcmcia, postfix, postgresql, shorewall, smartd, sound, squid, sshd, syslog, udev, xfs
        
        
      • These are not running: anacron, apmd, apmiser, bluetooth, cups, cpufreq, cpufreqd, dund, hidd, iptables, irda, laptop-mode, mDNSResponder, mdadm, netfs, netplugd, nfslock, nifd, oki4daemon, pand, pcscd, rawdevices, ultrabayd, vncserver
11. Reboot.

• check hard disk performance: Is DMA enabled (it should be): hdparm -tT /dev/hda. Test data rate: hdparm -tT /dev/hda [I get 287 MB/s, 19 MB/sec respectively].
• check memory status: free -m [more info]
• check disk space: df -h, and what is mounted where: mount
• is swapenabled? swapon -s
• check which kernel is running: uname -a
• check 3D acceleration: glxgears [I get 787 FPS]
• check which processes are running: top; ps aux | less; chkconfig --list; service --status-all
• check network: ifconfig -a
• check for system error messages: dmesg; /var/log/boot.log; /var/log/messages; /var/log/kernel/*

• splash=verbose -> so that the boot-up messages are visible. Mandrake defaults to hiding them with splash=silent. The old way (just text) is splash=none.
• panic=60 -> so that, if there is a crash, the system will try to reboot after 60 seconds. Useful if unattended. (We could also install the watchdog).
• acpi=off -> this would be used if we want APM rather than ACPI. To have ACPI, no entry is required.
• inotify -> so that inotify is enabled, which allows KDE's volume manager to detect changed media (eg CDROMs or USB-keys.)
• vga=794 -> so that the console uses a much higher resolution, which makes it far more pleasant. (To see which modes are possible, run hwinfo --framebuffer, then convert it using this table.)

image=/boot/vmlinuz-2.6.12-12mdk-i586-up-1GB
        label="2612i586up1GB-12"
        root=/dev/hda5
        initrd=/boot/initrd-2.6.12-12mdk-i586-up-1GB.img
        append="resume=/dev/hda6 splash=verbose panic=60 inotify"
        vga=794

• Permit the root user to access your normal xsession: run (as yourself) xhost local:root
• Invoke the GUI application directly: sudo xclock
• Use the sux wrapper script instead of su, to transfer the X credentials.

• Official - this is the "stable" release. Recommended for servers.
• Devel = Community - this is the slightly more bugfixed and updated system (and is required by some PLF packages). Recommended for desktops.
• Cooker = Bleeding edge, and usually broken! Recommended only for Mandriva developers.

• Main = the 3-6 CDs you download. (Core distribution).
• Contrib = packages built by other volunteers - over 2GB of useful stuff, but not officially in the main distribution.
• PLF = "Penguin Liberation Front" - packages that might cause legal headaches in some countries, mainly multimedia. PLF is split into plf-free and plf-nonfree. [Note: PLF is designed to work with Community, not Official.]
• Updates = updated packages fixing bugs and security problems. [Only official has an updates source; for devel or cooker, updates are subsumed into the other media.]

• Club Open source packages = updated packages available to MandrakeClub members. You may wish to pick and choose these rather than adding the urpmi source: if so, browse the mirror with lftp.
• Club Commercial = non-free, binary packages such as Java and Flash. These are available as RPMS from MandrivaClub; if you prefer, you can download these directly from Sun,Macromedia etc.

• 2006 RPMS - updates for many and various packages, built for Mandriva 2006.
• KDE 3.5 RPMS - packages for KDE 3.5

• main_community (ftp://anorien.csc.warwick.ac.uk/Mandrakelinux/devel/2006.0/i586/media/main)
• contrib_community (ftp://anorien.csc.warwick.ac.uk/Mandrakelinux/devel/2006.0/i586/media/contrib)
• plf-free and plf-nonfree (ftp://ftp.free.fr/pub/Distributions_Linux/plf/mandrake/free/2006.0 and mandrake/non-free/2006.0)
• SoS-KDE (http://seerofsouls.com/KDE-3.5)
• mandriva_club [Only temporarily configured, to download Java,Flash,OpenOffice2; then removed]

• urpmi bash-completion
• Pick one of:
  • cp /etc/skel/.bash_completion $HOME
  • . /etc/bash_completion in your ~/.bashrc
  • edit the file: /etc/sysconfig/bash_completion

• In all distributions , if the word is unambiguous, pressing [Tab] once will complete it.
• In Mandrake, if the word is ambiguous, pressing [Tab] once will print a list of options. (with no beep).
• In most other distributions, if the word is ambiguous, pressing [Tab] once will just beep at you. You have to press [Tab] twice to get the completion options. This rapidly gets irritating, and causes lots of beeping!

# Show all if ambiguous.
set show-all-if-ambiguous on

• Typing 'help' will give a guide to the bash builtins. 'info bash' or 'man bash' are extremely useful; reading the man page in konqueror ('man:/bash') is easier.
• Here is a useful reference: the Advanced Bash Scripting Guide. (Also, a list of special characters and string functions )
• Mandrake defines a lot of helpful aliases, such as 'cd..' and 's'. Type 'alias' to list them.
• Keyboard shortcuts in bash/readline are described in info bash "Command Line Editing" or man readline. There are very many: here are some of the most useful:

  Shortcut key	Function
  Ctrl-a,Ctrl-e	Move to start,end of line
  Ctrl-b,Ctrl-f	Move back/forward one character
  Alt-b,f	Move back/forward one word
  TAB	Smart completion (within uniqueness) of command or filename
  Alt-/	Force completion on filename (override smart completion).
  Ctrl-u,k	Cut ("kill") from cursor to start/end of line
  Ctrl-w,Alt-d	Cut from cursor to previous whitespace,end of word
  Ctrl-y	Paste ("yank") previous cut text
  Ctrl-_	Undo previous edit
  Ctrl-l	Clear screen (except for current line)
  Ctrl-r	Reverse-search through history

• Quoting.
  • Single quoted phrases in bash are literal. Within sinqle quotes, you may never use another single-quote, not even with a preceeding backslash (\'). See QUOTING in the bash manpage
  • Double-quoted phrases in bash treat $, `(backtick), and \(backslash) specially. Double-quoted doublequotes may be escaped by \". Beware of ! characters within interactive shells: echo "Oops!" will cause an error.
  • Conatenation is allowed: TEXT="What's your name?\n"'My name is "Richard"'; echo -e $TEXT
  • Without quoting, filename globbing takes place. *, ? and [...] have special meanings: see PATTERN MATCHING in the manpage.
• Globbing is the process by which special characters are expanded to match filenames. For example ls *.jpg lists all files ending in .jpg. But consider what happens when there are no matches. By default, bash falls back to a literal '*'. shopt -s failglob makes it throw an error; shopt -s nullglob makes it result in the empty string. All choices are problematic - consider:
  • i=0; for file in *ZZZ; do let i++; done; echo "There are $i files matching '*.ZZZ'" when there are no relevant files. Without failglob/nullglob, this will give the answer '1' when it should be zero. nullglob is best.
  • ls *ZZZ. The default (neither nullglob nor failglob) results in "ls: *ZZZ: No such file or directory". However, with nullglob, it becomes just ls, listing the entire directory.
• $IFS is the input field separator. By default, it is <space><tab><newline>. Any of these characters are treated as delimiters when tokenising input. For example:
  set `echo "first second"` ; echo "'\$1' is $1 and '\$2' is $2" results in '$1' is first and '$2' is second, whereas
  IFS=':'; set `echo "first second:third"` ; echo "'\$1' is $1 and '\$2' is $2" results in '$1' is first second and '$2' is third.

• [2.4.1] Fix the timeout for mounting encrypted filesystems on boot-up. It should wait a long time.
  Edit the line just above the comment: #Mounting Encrypted filesystem
  and change the timeout to 600. The correct line reads:
  [[ -z $AUTOFSCK_CRYPTO_TIMEOUT ]] && AUTOFSCK_CRYPTO_TIMEOUT=600
• [2.4.2] Fix rc.sysinit so that, if you get the passphrase wrong, it asks you again...and again (10 times).
  Edit the section which begins: #Mounting Encrypted filesystem
  
  Replace this part of the script:
  

  echo "We have discovered Encrypted filesystems, do you want to mount them now ?"
  MSG=`gprintf "Press Y within %%d seconds to mount your encrypted filesystems..."`
  KEYS=`gprintf "yY"`
  if /sbin/getkey -c $AUTOFSCK_CRYPTO_TIMEOUT -m "$MSG" "$KEYS"; then
  	echo -e '\n'
  	for i in ${encrypted};do
  		echo -n "${i} "; mount ${i}
  	done
  else
  	echo -e '\n'
  fi

  [download]
  
  with this new version:
  

  echo "We have discovered Encrypted filesystems, do you want to mount them now ?"
  MSG=`gprintf "Press Y within %%d seconds to mount your encrypted filesystems..."`
  KEYS=`gprintf "yY"`
  if /sbin/getkey -c $AUTOFSCK_CRYPTO_TIMEOUT -m "$MSG" "$KEYS"; then
  	echo -e '\n'
  
  	#We *really* don't want to boot up without this mounting successfully, so give
  	#10 chances for the user to type the passphrase.  If there is more than one
  	#encrypted partition, try the same passphrase before making the user re-type it.
  
  	unset crypto_passphrase
  	for i in ${encrypted}; do
  		failcount=0
  		while [ $failcount -lt 10 ]  ;do
  			if [ -z "$crypto_passphrase" ];then
  				read -s -p "Enter passphrase for encrypted partition(s) ${i}: " crypto_passphrase
  				echo -e '\n'
  			else
  				echo "Trying the same passphrase for encrypted partition ${i}"
  			fi
  			echo "$crypto_passphrase" | mount -p0 ${i} ; result=$?
  			if [ $result == 0 ];then
  				echo "Successfully mounted encrypted partition ${i}"
  				break
  			else
  				let failcount++
  				echo "Failed to mount ${i}; used $failcount attempt(s) out of 10 allowed."
  			fi
  			unset crypto_passphrase
  		done
  	done
  	unset crypto_passphrase
  
  	else
  	echo -e '\n'
  fi

  [download]
• [2.4.3] Fix the section beginning with: Check loopback filesystems, so that it doesn't check filesystems which are both loopback AND encrypted.
  It should read:
  

  # (pixel) Check loopback filesystems
  	if [ ! -f /fastboot ]; then
  		modprobe loop
  		gprintf "Checking loopback filesystems"
  		#Fsck -T -R -A -a -t opts=loop $fsckoptions
  		Fsck -T -R -A -a -t opts=loop,noopts=encrypted $fsckoptions
  	fi

  [download]
• [2.4.4] Side effect: service udev status is untruthful
  udev is started very early by rc.sysinit, before /var is mounted. service udev start tries to save the status by touching /var/lock/subsys/udev. This failure is harmless, but it will mean that service udev status wrongly claims that udev is stopped when it isn't. To check the truth, use pgrep udevd instead. If desired, add this to rc.sysinit immediately after mounting /var (in section 2.4.2 above):
  

  #Udev has already been started, but the lockfile hasn't been created, because /var wasn't mounted at that time.
  	[[ -d /var/lock/subsys/ ]] && pgrep udevd >/dev/null 2>&1 && touch /var/lock/subsys/udev 2>/dev/null

  [download]

• This now works. Test it by comparing the result of cat /dev/hda9 | strings with what you would usually see. It is gobbledegook!
• Don't use diskdrake to set up encryption: it won't work, and it won't allow you to encrypt /var anyway.
• As a consequence of /var being on a separate partition, and the need not to waste disk space, postgresql may need to live in /home rather than /var/lib/pgsql/.
• Remember to lock the screen if you use a screensaver!
• See note below on suspend to RAM.
• Keep a copy of your new /etc/rc.d/rc.sysinit, because if you upgrade or update with urpmi, it will be overwritten by the defaults. In order to prevent this occuring, add this to /etc/urpmi/skip.list:

  #Keep modified rc.sysinit for mounting encrypted partitions at boot.
  initscripts

  [download]

#Start the device-mapper for the encrypted partitions using dm-crypt.
#Prompt for the passphrases as required.
#Do NOT boot until the correct passphrases have been supplied.
modprobe dm-crypt >/dev/null 2>&1
service cryptdisks start

1. Find out which xorg packages are installed: rpm -qa | grep -E 'xorg|X11R6'. I had the following:

   xorg-x11-6.9-1.cvs20050915.2mdk xorg-x11-server-6.9-1.cvs20050915.2mdk libxorg-x11-6.9-1.cvs20050915.2mdk libxorg-x11-devel-6.9-1.cvs20050915.2mdk xorg-x11-xfs-6.9-1.cvs20050915.2mdk xorg-x11-100dpi-fonts-6.9-1.cvs20050915.2mdk xorg-x11-75dpi-fonts-6.9-1.cvs20050915.2mdk xorg-x11-xauth-6.9-1.cvs20050915.2mdk xorg-x11-Xprt-6.9-1.cvs20050915.2mdk X11R6-contrib-6.9-1.cvs20050915.2mdk.i586

2. Download these from http://seerofsouls.com/RPMS-2006/. I didn't set this as an urpmi source because I don't want to pull in all the upgrades from here.
3. Install the packages with urpmi:

   urpmi ./xorg-x11-6.9.0-1.2006.SoS.i586.rpm ./xorg-x11-server-6.9.0-1.2006.SoS.i586.rpm ./libxorg-x11-6.9.0-1.2006.SoS.i586.rpm ./libxorg-x11-devel-6.9.0-1.2006.SoS.i586.rpm ./xorg-x11-xfs-6.9.0-1.2006.SoS.i586.rpm ./xorg-x11-100dpi-fonts-6.9.0-1.2006.SoS.i586.rpm ./xorg-x11-75dpi-fonts-6.9.0-1.2006.SoS.i586.rpm ./xorg-x11-xauth-6.9.0-1.2006.SoS.i586.rpm ./xorg-x11-Xprt-6.9.0-1.2006.SoS.i586.rpm ./X11R6-contrib-6.9.0-1.2006.SoS.i586.rpm

4. Get the updated packages from the community mirror. urpmi.update -a; urpmi --auto-select
5. Log out. Then restart X: service dm stop; service xfs restart; service dm start

• xrandr is invoked: xrandr -s [NUMBER] and allows you to re-size the entire desktop. (xrandr is "X rotate and resize")
• krandrtray is invoked: krandrtray and is a KDE system-tray GUI for xrandr.
• xvidtune is invoked: xvidtune -next and changes the "viewport" onto the desktop. For example, an 800x600 viewport which can be panned around on top of a 1600x1200 desktop.

1. Make sure that the mode (such as 1024x768 or 800x600) is working on the internal LCD.
2. Plug in the projector, and use Fn-F7. If both LCD + Projector are enabled, then with some projectors, there may be problems with timing errors. (The symptoms are: Distortion/Flickering; LCD monitor may complain about timing frequencies; Projector may fail to display anything, or mis-sync giving a "sliced" image). If so, use Fn-F7 again to have only the projector: of course, this means that there is no 'Autocue', so have a printout of the slides available!
3. Use xrandr -s 800x600 to resize the desktop as necessary to fit onto the projector.
4. Give the presentation. NB: practice in advance; text not too small; test projector in advance; have printout of notes; check timing; speak slowly; be calm.

• Add the DisplaySize line to /etc/X11/xorg.conf:

  Section "Monitor"
      Identifier "monitor1"
      VendorName "Generic"
      ModelName "Flat Panel 1600x1200"
      HorizSync 31.5-90
      VertRefresh 60
      DisplaySize 304 228     # <-- Added by rjn to sort out tiny fonts - these are width, height in mm
      ....
  EndSection

  [download]
• Change the dpi line in /etc/X11/Xresources to:

  Xft.dpi: 133

  where 133 is the value of xdpyinfo | grep resolution.
• Unfortunately, the gnome-font-properties program (which configures GTK applications) does not respect the value from the X-server. Start gnome-font-properties, click 'details', and manually change the resolution from 96 dpi to 133 dpi.

1. We can discover which mouse we want by doing cat < /dev/input/mouseX and wiggling the mouse. In this case, it happens to be /dev/input/mouse0
2. We want to create a udev rule to symlink /dev/input/trackpoint -> /dev/input/mouse0
3. Find out about the device with udevinfo: udevinfo -a -p /sys/class/input/mouse0
4. Add the following to /etc/udev/rules.d/10-local.rules:

   #Symlink the relevant /dev/input/mouseX by /dev/input/trackpoint:
   BUS=="serio", kernel=="mouse*", SYSFS{description}=="i8042 Aux Port", NAME="input/%k", SYMLINK="input/trackpoint"

   [download]
5. Modify xorg.conf to refer to /dev/input/trackpoint rather than /dev/input/mice
6. Reboot (since the PS/2 port doesn't like hotplugging)

• If multiple mice are now needed, the ServerLayout section should have one "CorePointer" and the others to "SendCoreEvents".
• For the A22p, it is also valid to use /dev/psaux for the trackpoint device.
• Note: we don't want /dev/input/eventX nor do we want /dev/input/tsX, since these can cause subtle errors.
• If the Xserver fails to start, Mdk will 'helpfully' re-detect the mice, and over-write your carefully constructed file. So keep a copy!

• Button 1 = ordinary Left-click
• Button 3 = ordinary Right-click
• Button "X" = ordinary Middle-click (i.e. paste.) [Button X is achieved by pressing btn1 and btn3 together]
• Button 2 + move trackpoint = Vertical AND Horizontal scroll

• Emulate3Buttons on: this means that (Button 1 + Button 3) => emulated middle button.
• EmulateWheel on: this means that Button 2 + move mouse => emulated scroll wheel
• EmulateWheelTimeout = 0: this means that Button 2 does not generate middle-clicks. Only Button X does.
• YAxisMapping = "6 7": Vertical scroll generates a series of button 4,5 events, which the application treats as a vertical scroll.
• XAxisMapping = "4 5": Horizontall scroll generates a series of button 6,7 events, which most applications treat as a horizontal scroll.
• No, that's not a mistake: it cancels another bug, namely the existence of /etc/X11/xinit.d/mouse_buttons which swaps buttons 4<=>6 and 5<=>7

• Horizontal scrolling is misinterpreted as forward/back in Mozilla. See below for fix.
• Newer Thinkpads have 3 buttons in a row. As of Xorg-6.9, they can use EmulateWheelTimeout, to allow Button 2 to be *both* scroll and middle-click. This works extremely well, except for a few applications (xfig,pcb) which use middle-button drag, so cannot coexist with EmulateWheel. [For older versions of X, see here for alternatives.]
• The mouse options are documented in man (4) mouse. [But there is sometimes another mouse manual page of the same name documenting the electronic protocol for mice. To get the right man page, use: man /usr/X11R6/man/man4/mouse.4x.bz2]
• For testing, use xev to identify button presses and xmodmap -pp to show the button mapping.

• The X and Y axes were switched (i.e Option "YAxisMapping" "4 5" Option "XAxisMapping" "6 7") because /etc/X11/xinit.d/mouse_buttons didn't work.
• EmulateWheelTimeout had no effect. It was stuck on the default 200ms.
• The ZAxis mapping to some non-existent buttons was needed.

• Either use xmodmap, by including this in ~/.kde/Autostart/kde-startup.sh:

  #Get rid of Caps Lock and make it into an additional Control Key.
  xmodmap -e "remove Lock = Caps_Lock" \
          -e "keysym Caps_Lock = Control_L"    \
          -e "add Control = Control_L"

  [download]
• Or: use the KDE control center: Accessibility->Keyboard Layout->Xkb Options->Make CapsLock an additonal Control

• Meta is (roughly) Emacs-speak for Alt. Sun keyboards have Meta, whereas PC keyboards have Alt.
• AltGr (Right_Alt) is AlternateGraphic for other characters such as μ, which is entered as AltGr + m.
• Compose is an alternative way to get composite characters. Eg © is entered with the sequence Compose, o, c. However, (unless using Unicode), it only duplicates the functionality of AltGr and isn't really required.
• Super is often mapped to the Windows-key [which isn't present on ThinkPads], and is usually used for extra Window-manager functions and custom global program-shortcuts.
• Hyper is also sometimes, but uncommonly used. It may be mapped to the Menu key [not present on ThinkPads].
• Mod1 - Mod4 are the internal names used by the X-server for the modifiers: up to 4 are allowed. Usually, Mod1 = Alt/Meta; Mod2 = NumLock; Mod3 = AltGr (= KDE 3rd level), and Mod4 is free.
• Space Cadet Keyboards have all of the above, and can enter 8000 characters! Of course, this leads more to parody than to usabilty!

• Fn-F7 switches between LCD, LCD+CRT, CRT. But if you are in a virtual console, the LCD is blank in LCD+CRT mode. Under X, the LCD works as expected.
• Switch on screen expansion in the BIOS. Otherwise, 800x600 will only use the central quarter of the screen!
• LCDs look horrible at non-native resolution. But it's much better for games since it reduces the CPU-load, and allows a higher frame-rate. Eg tux-racer at 640x480.
• There was (in 9.1) a bug in the r128 driver which caused occasional lockups with 3D GL things. This appears to have been fixed, but for reference, here is the information.
• The xev (XEvent) program is very useful to see what is going on - it prints keycodes/keysyms/button-press diagnostics to the screen.
• xmodmap allows you to change particular keyboard and mouse-button mappings.
• setxkbmap gb allows you to set default keyboard mappings. Useful if you did something stupid with xmodmap!
• xbindkeys allows you to define key-combinations to launch programs.
• xclip copies and pastes from stdin/out to/from the clipboard.
• xmacro lets scripts generate key/mouse events. (eg: echo -e "KeyStr Z\n" | xmacroplay :0)
• For the PC-speaker, or Bell see sound.

• Shift-Numlock: turn mouse emulation on or off.
• 82,46,7913: move mouse pointer up,down,left,right,diagonally.
• 5: press the mouse button.
• ÷, ×, −: select which mouse button is emulated by pressing 5 (respectively: left,middle,right).
• +, 0: double-click, click-and-drag

1. Get the latest xorg .src.rpm from the SRPMS/ directory on the mirrors. I used the one from SeerOfSouls: xorg-x11-6.9.0-11.1.20060.SoS.src.rpm.
2. Install with rpm -i.
3. Get this patch (attached to comment #8 on the xorg Bugzilla).
4. Apply it to the source:

   
   cd /usr/src/RPM/SOURCES/
   mkdir TMP; cp  X11R6.9.0-src.tar.bz2 TMP/; cd TMP
   tar xvzf X11R6.9.0-src.tar.bz2
   cd xc/programs/Xserver
   patch --verbose -p0 < /home/rjn/xorg-hack/mousepatch.4318.patch
   cd ../../..
   tar cvfz X11R6.9.0-src.tar.bz2  xc
   mv  cvfz X11R6.9.0-src.tar.bz2 .. ; cd ..
   

5. Now build the RPM: cd /usr/src/RPM/SPECS; rpmbuild -bb xorg-x11.spec
6. Finally, the RPMS will be in /usr/src/RPM/RPMS/i586: install the packages as desired.
7. Now, clean up or there will be over a GB of wasted disk space! When the rpm tool installs a .src.rpm, it merely unpacks its source into the /usr/src/RPM/SOURCES directory. Thereafter, it isn't listed by rpm -qa, and cannot be removed with rpm -e. So, some judicious use of rm -rf in the directories /usr/src/RPM/SOURCES and /usr/src/RPM/BUILD is required.

• Bitmap fonts. (75dpi, 100dpi). These are the old-style X fonts, and cannot be scaled. They also cannot be printed. However, they look excellent on screen, iff they are displayed at their native size. Only certain point-sizes are available, and these fonts cannot be anti-aliased. (Eg Helvetica 8,9,13pt look excellent; 11pt looks poor, 10,12pt are unavailable)
• True-type (scalable) fonts. These fonts are the "modern", resizable ones, which look curvy. The outlines are generated from vectors, and mapped onto a pixel-grid. However, how exactly should the fonts be scaled to match the pixels?
  • Scale, but don't anti-alias. Each pixel is either black or white. This means that the font is sharp, and easy to focus on, but the coarse pixellation usually results in a horrid, "spidery" effect with jagged outlines. This is the well-known "bad Arial fonts on Linux" problem.
  • Scale and anti-alias. "Fudge" the curves by setting the intermediate pixels to varying shades of grey. This blurs the edges of the font, creating a smooth outline which is (on average) faithful to the original vector. For very large fonts (in headlines), and fonts used in images, it looks good. But for normal text, it is a matter of taste. Some people like the smooth edges, but I personally find them blurry, and "out of focus" - and they give me eye strain! (It's not quite so bad on this wonderful 133dpi monitor of the ThinkPad, but dreadful anywhere else). Sub-pixel rendering is a possible solution: it uses the 3 coloured pixels of the LCD to triple the horizontal resolution of the anti-aliasing. But the result is colour-fringing of the fonts. If you look at the result using xmag/kmag, you will see what I mean! However, some people do really like this smoothing effect. The Bitstream Vera (or DejaVu) fonts are the best for this.
  • Use properly "Hinted" fonts and don't anti-alias. Hinting means that when the font is scaled, instead of keeping its shape perfectly the same, it is carefully distorted to fit better over the pixels. The result is that the font face looks slightly different, but it is always sharp, and free from ugly artifacts. (For example, the letter "e" sacrifices its "Times-New-Roman-nature" in favour of clarity.) These correctly hinted fonts do not need anti-aliasing (and anti-aliasing often makes them worse at small sizes). The Microsoft fonts are best for this. [For interest, here's a comparison of Microsoft's and Apple's different approaches to smoothing.]
  • Lastly, when the font is very large (eg > 15 pt or used in an image), anti-aliasing makes the edges less jagged, without harming readability.

Here are some images of the different fonts. Try enlarging it with kmag to see the details. More examples are here (scroll down).

Bitmapped: (clear, but un-scaleable)
True Type, non-antialiased: ("spidery")
True Type, antialiased: (correct average shape, but blurred)
True Type, hinted: (slightly distorted shape, but it is clear)
TTF, hinted, antialiased: (not quite so good)

• Install the Microsoft corefonts (which are free-as-in-beer). These are very well hinted.
• Install the plf version of libfreetype6.
• Set up the applications to use the new fonts.
• No half-measures: a compromise will be much worse than either extreme!

1. Take a screenshot of how things look now (with ksnapshot) for later comparison.
2. Install the Microsoft Core Fonts. Before I wiped out Win98, I kept a tarball of C:\Windows\fonts\. Install the .ttf files, (but not the .fon files) using either the Mandrake Font Installer (in Mandrake Control Center), or KDE's font installer (KDE->kcontrol->System->Font Installer). Alternatively, there are the Microsoft webfonts which are free (as in beer), which can be downloaded from sourceforge.
3. Installing a version of libfreetype with support for the Bytecode interpreter (hinting):
   1. First, download the penguin-liberation-front packages for libfreetype6 (and -devel): libfreetype6-2.1.10-8plf.i586.rpm and libfreetype6-devel-2.1.10-8plf.i586.rpm
   2. Then, install them instead of the Mandriva packages. However, urpmi won't upgrade them since the replacement version is in fact slightly earlier. If you use urpme to remove the Mandriva packages before installing the PLF ones, you'll end up uninstalling your entire system! This is one of those rare occasions when using rpm with --nodeps is justified. Find the names of the packages which are installed:
      rpm -qa | grep libfreetype
      
   3. Forcibly uninstall them, without removing packages which depend on them:
      rpm -e --nodeps libfreetype6-2.1.10-9.1.20060mdk libfreetype6-devel-2.1.10-9.1.20060mdk
      
   4. Install the PLF packages:
      urpmi ./libfreetype6-2.1.10-8plf.i586.rpm ./libfreetype6-devel-2.1.10-8plf.i586.rpm
      
   5. Prevent urpmi --auto-select from re-installing the mandriva packages. Add this to /etc/urpmi/skip.list

      #Don't mess up the libfreetype: keep the PLF packages.
      libfreetype6
      libfreetype6-devel
      libfreetype6-static-devel

      [download]
   6. Restart X (logout, service dm restart)

• Selecting fonts: xfontsel is useful. A font is unambiguously described by both foundry and name (and size,style...) eg: adobe-times-iso8859-1 However, in KDE, fonts are known just by their name when unambiguous e.g. Bitstream Vera Sans and with the foundry in brackets when it is required, e.g. Fixed [Misc] or Fixed [Sony]. Also, note that Times (=adobe-times-iso8859-1) and Times New Roman (= Microsoft TTF) are quite different fonts! FIXME - explain fc-cache, fc-match fc-list fonts.conf ttf vs type1 (no real difference) helvetica/univers vs arial (wkipedia articls)
• For desktop users, with antialiased fonts and LCD monitors without DVI: LCD monitors auto-adjust by aligning their clock with vertical lines in the image. But, if all the fonts are antialiased, there are no hard edges to crunch on, and the monitor calibration is often poor. Here is a 1280x1024 chessboard: view it at 100% size, then press audo-adjust on the monitor.
• The point is a unit of length, defined as 1 point = 1/72.27 inch; in computing, it is usually redefined to 1/72 instead. A 10-point font means that that the full height of a row of text is 10 points. The "em" is the height of an 'M' or the width of an 'm' in that font. [For example: at 96dpi, 12pt = 16 px; at 133dpi, 10pt = 18px]
• The GIMP freefonts are good, and may be downloaded from here. Also, myfonts.com have a large number of fonts available for preview.
• Summary: it's all about personal choice. If you get used to AA, then switching back to non-AA feels a bit weird for a while. Likewise, vice-versa.

• Revert to "core" (X-default) cursor-theme, or
• De-select the GL screensavers in xscreensaver-demo, or
• Kill and restart xscreensaver every time it unblanks.

#!/bin/bash
#Xscreensaver on Rage128 Mobility card with any cursor-theme other than core messes up the cursor. It is borked
#if last xscreensaver process was a GL one. So kill/restart xscreensaver every time it unblanks.

while : ; do
        echo "Starting xscreensaver; monitoring for unblank..."

	#Watch the xscreensaver status. When unblanking, the line will begin 'UNBLANK'
        xscreensaver -verbose -no-capture-stderr -no-splash 2>&1 | while read LINE; do
                if echo $LINE | grep 'unblanking screen at' &>/dev/null 2>&1 ; then

			echo "Unblank detected. Killing xscreensaver..."
                        killall xscreensaver
                        break;
                fi
        done
done

• Most applications (eg mplayer, amarok, vlc) can do this: simply set the output plugin to be alsa.
• Even the KDE sound server can output to Alsa. (But see below).
• Some applications only understand OSS. (eg /usr/bin/play). In these cases, use aoss to intercept the call to /dev/dsp and redirect it to ALSA. eg aoss /usr/bin/play Beethoven5.ogg [Actually, play itself is just a script, and can be edited to include the aoss anyway.]
• QEMU doesn't work with aoss, so it has to have the sound card to itself.
• CD playback can be done digitally, via alsa (eg by alsaplayer,kscd,vlc) or directly through the sound card.

• kcontrol->LookNFeel->System Notifications->Player Settings->Use external player.
• External player is sox_aplay.sh
• In ~/bin/, I have the following script named sox_aplay.sh:

  #!/bin/bash
  #Play audio file immediately (avoid arts startup delay). Volume decreased to 0.4
  sox "$1" -t wav -v 0.4 - | aplay
  
  #Note: in newer versions of sox, the argument order is different; use this instead:
  #sox "$1" -t wav - vol 0.4 | aplay

  [download]