1. I set the Hard Disk password in the BIOS. This is fairly impenetrable, (IBM certainly won't get it back for you), but it is probably circumventable by a talented data thief. Don't forget it!! [It also means that the laptop cannot boot up unattended.] I didn't set a BIOS password, since the HDD password is sufficient (and stronger than the BIOS password anyway). From the Linux-thinkpad mailing list:

   "[The Hard Disk password] is pretty secure. The protection is provided by the drive itself: one needs to disassemble the drive, separate the drive platters from its internal IDE controller and replace this controller to get to the data.
   
   One important thing to know about Thinkpads is that if you also set a poweron password in the BIOS, the harddrive password gets copied to an EPROM on the motherboard. As a consequence, not setting a poweron password and only a harddrive password decreases the risk of an attacker to get to the data."

2. Most systems (given an attacker with physical access) can be booted up, either using Knoppix, or by pressing Escape while Lilo is starting, and then typing linux single. So the login password alone is no protection at all! Even if CD-ROM boot is prevented by a BIOS password, and Lilo single-user boot is disabled, the Hard disk can still be read by placing it in another machine,
3. Encrypt: /home, since it contains my data.
4. Encrypt /var, since it contains all sorts of things: logs, slocate.db, postgres database...etc.
5. Encrypt swap, because anything could end up there (and in the clear). Swap is the easiest to encrypt, and most transparent, so I'd recommend to encrypt that, even if nothing else.
6. Not encrypted: / (the root directory), because it's all open source anyway! Furthermore, this is quite a complex operation, especially if trying to install there! And the performance hit would be most significant if the applications were encrypted. Yes, there is a little information which could leak out via /etc, but for me, this isn't important - besides which, my email address is written on the bottom of the laptop!
7. Not encrypted: /boot, because this would be impossible! [If worried about a trojaned kernel being installed here, boot only off a USB-key, and keep the key in your sight at all times!]
8. I decided to use losetup rather than dm-crypt, since losetup is more established, and at least partially supported by a (broken) Mandrake rc.sysinit script. dm-crypt might actually work OK with Mandriva 2006, but it certainly didn't when I originally set this up under 10.2.
9. Using losetup means that suspend-to-disk is dangerous, since the RAM will be in clear on the disk! But I only ever want suspend-to-RAM anyway. dm-crypt would allow cryptographic suspend-to-disk. Also, "newer versions of suspend2 also have native encryption support via the crypto-API of the Linux kernel." [But Mandriva doesn't seem to use suspend2.]
10. Firewire can be dangerous. IEEE1394 devices can, by design, snoop on the host's memory. This is useful for debugging, but can be considered harmful. The laptop has no inbuilt 1394 device, but a PCMCIA card would be helpfully hotplugged by Mandrake! So prevent the modules from loading.
11. The implication of the setup which I have chosen is that:
    • When the system is switched off, if someone tries to access the hard disk, we are protected by encryption.
    • When the system has booted up, all the encrypted partitions are mounted. We are now protected by the kernel, the login program, file permissions, and a strong password.
    • When the system is left running, but unattended, xscreensaver is used to lock the display. We now are protected by xscreensaver. (And sshd, if on a network)
12. Obviously, choose a strong password and passphrases. Also, there are some useful articles on data-hygiene published by The Register, on internet anonymity and data security.
13. Here are some other encryption resources which may be of interest. Note that losetup is older than dm-crypt.
    • Loopback AES Readme
    • Linux device-mapper cryptography (dm-crypt) and the dm-crypt wiki
    • How to encrypt the entire hard disk
    • Linux Journal article: Implementing Encrypted Home Directories (but slightly old, not referring to dm-crypt)
    • Disk and email encryption in Linux (covers Open PGP and Mandrake 9.1)
    • Encrypting the whole disk using Gentoo and losetup. (Not really relevant here)
    • Cryptoloop howto (Mounting an encrypted file instead of a partition)
    • EncFS (doing everything in userspace. Uses Fuse. Easier, but less efficient)
    • GPG: Encrypting file-at-a-time. (Useful for emails)
    • StegFS (plausible deniability by having multiple layers of encryption).
    • Other "attacks" include listening to the sound of the keyboard, listening to the sound of the CPU, and sampling diffuse visible light from the monitor.
    • Tom's Hardware intro (LUKS).
14. Other considerations:
    • Can the encrypted home partition be locked without unmounting it? Eg before invoking the screensaver, or suspending, somehow forget the key, without first having to close all the applications and unmount /home. I can't see why this shouldn't be possible, but it would appear to need a kernel modification.
    • Can we trust the login program? Yes, probably (provided the password is good enough). Thus, when the system is running, we are protected by the passwords. The encryption protects against someone with physical access to the machine, who can remove the hard disk (or use a bootable CD).
    • Can we trust xscreensaver to do the locking? Yes, probably, provided that the password is sufficiently strong, and that there are no root logins on the virtual consoles, which xscreensaver cannot protect. Xscreensaver uses PAM, so it is as good as login. Disabling Ctrl-Alt-Backspace would be a good idea. If there were some way to crash X (or xscreensaver) without logging out, this would leave /home exposed.
    • What about the daemons? Could sshd or apache compromise things? Make sure that permissions are not world-readable! What about ~/public_html? Obviously, we need to run a fully up-to-date system, with no known local-root exploits.
    • What about the risk of a dictionary attack on /etc/shadow? Obviously, I use a password which is not a dictionary word! But a really sophisticated attacker could perhaps surreptitiously "borrow" the unattended laptop, copy /etc, run some crack against /etc/shadow, return the laptop, wait for me to log in, then steal it. "A possible improvement is adapting your pam configuration to replace the standard unix authentication (pam_unix.so) with pam_ssh.so (use your ssh passphrase to log in) or pam_usb.so (use a usb-stick to log in)" But obviously, losing a usb-stick is very easily done!
    • Can we use PAM to automate any of this, to reduce the number of times the passphrase needs to by typed. Is there any reason why root password, my user password, and SSH passphrase should be different?
    • Can the SysRQ key do anything bad? It appears not, according to the documentation in /usr/src/linux-xxx/Documentation/sysrq.txt
    • We are still vulnerable to a brute-force attack with sufficient computing power; to theft of the laptop while unlocked; or to theft while locked, but powered on, and with sufficiently clever electronic probing of the motherboard (or via firewire).
    • Newer thinkpads, with 'biometric fingerprint sensors' should not rely on these. The sensors do not reliably discriminate between users, and are very easy to fool. Furthermore, one's fingerprints can easily be retrieved...from the laptop!
    • If any of this is wrong, please tell me!

1. The new Mandrake installer is very slick, and just works. "expert" mode has gone away. There is a very useful rescue mode on the first CD, in case you mess up the system.
2. It did prompt me to upgrade from 9.1, which would probably have worked fine. However, I decided to do a full reinstall, and re-partition.
3. Accept license. Read release notes. British English. UK keyboard.
4. Security=high (don't choose paranoid - you can make your system almost unusable!). Security admin = rjn (this is the person who gets the email from msec etc).
5. Mouse = any PS/2 or USB (the default).
6. Partitions. If you are not using encryption (or just encrypting swap), I would recommend something simple, eg:

   Partition	Size	Mount point	Filesystem
   hda1	7 GB	/	ReiserFS
   hda5	550 MB (slightly larger than RAM)	swap	swap
   hda6	1 GB	/spare	ReiserFS
   hda7	21 GB	/home	ReiserFS

   However, I decided that I wanted to encrypt /var, and hence the partition scheme is slightly more complex. Diskdrake has an "encryption" option, which doesn't work well. Don't use it - and install everything unencrypted for now. Thus:

   Partition	Size	Mount point	Filesystem
   hda1	200 MB	/boot	ReiserFS
   hda5	6.5 GB	/	ResierFS
   hda6	550 MB (slightly larger than RAM)	swap	swap
   hda7	1024 MB	/var	ReiserFS
   hda8	1024 MB	/spare	ReiserFS
   hda9	20 GB	/home	ReiserFS

7. Package Selection: it is usually easier to install a small system, then add urpmi sources, and select more packages once it is done. So I just accepted the default groups.
   NOTE: DO NOT install lm_sensors (it can destroy some thinkpads - see linux-thinkpad.org). Mandrake do not include it by default, and lm_sensors should now safely exit before damaging vulnerable machines, but it's worth making sure. This also means avoiding glms, ksensors, and not running sensors-detect.
8. Define a root password, a user (rjn) and password.
9. Put the Lilo bootloader on the MBR (Master Boot Record)
10. At "Summary", I went through all the config options:
    • Timezone -> London, Hardware Clock = GMT, Use NTP
    • Printers -> configure after install.
    • GUI -> Generic Flat Panel Display, 1600x1200, Rage 128 Mobility, Xorg 6.8.2 with hardware acceleration, 16 bit per pixel.
      Note: It is necessary to choose 16 bit/pixel and not 24 bpp in order to have hardware acceleration working. glxgears gives 787 FPS at 16 bit, but only 158 FPS at 24 bit.
    • Network -> LAN: set eth0 to DHCP. Do NOT assign host name from DHCP address. Do not set "DHCP hostname". Choose start at boot. Get DNS servers from DHCP. Hostname="toffee-pecan.baddiant.org.uk". Zeroconf hostname=blank. Note: Unlike earlier versions, 10.2 will background the DHCP request to allow boot to proceed faster. However, you can also set a timeout.
    • Firewall off all but SSH, and ping.
    • Bootloader -> 5 second delay. Clean /tmp at boot. No need to specify precise RAM size. ACPI is now supported, so allow it. (Previously, I used APM). Add "splash=verbose panic=60" to the bootloader options (respectively: make bootsplash verbose, so that the boot messages are visible; reboot after a kernel panic rather than hang.)
    • Services -> deactivated many of these. In particular, unless you need them, deactivate anything to do with NFS (netfs,nfslock,portmap) and Zeroconf (mdadm, mDNSResponder,nifd). Here is what I am running on my laptop. Note that some of these choices may not suit everyone. [I don't have a printer on the laptop, (no cups); I do web-development (postgresql,httpd), and I have internet connection sharing enabled for use when travelling (dhcpd,squid,named). ACPI is now supported, (although APM works too). I have no bluetooth hardware, and I never change the ultrabay. Irda causes crashes, and anacron causes the disk to thrash (rpmv,msec) for 20 minutes!]
      • These are running: alsa, acpi, acpid, atd, cpufreq, crond, dhcpd, dm, haldaemon, harddrake, hotplug, httpd, keytable, kheader, messagebus, named, network, ntpd, partmon, pcmcia, postfix, postgresql, shorewall, smartd, sound, squid, sshd, syslog, udev, xfs
        
        
      • These are not running: anacron, apmd, apmiser, bluetooth, cups, cpufreq, cpufreqd, dund, hidd, iptables, irda, laptop-mode, mDNSResponder, mdadm, netfs, netplugd, nfslock, nifd, oki4daemon, pand, pcscd, rawdevices, ultrabayd, vncserver
11. Reboot.

• check hard disk performance: Is DMA enabled (it should be): hdparm -tT /dev/hda. Test data rate: hdparm -tT /dev/hda [I get 287 MB/s, 19 MB/sec respectively].
• check memory status: free -m [more info]
• check disk space: df -h, and what is mounted where: mount
• is swapenabled? swapon -s
• check which kernel is running: uname -a
• check 3D acceleration: glxgears [I get 787 FPS]
• check which processes are running: top; ps aux | less; chkconfig --list; service --status-all
• check network: ifconfig -a
• check for system error messages: dmesg; /var/log/boot.log; /var/log/messages; /var/log/kernel/*

• splash=verbose -> so that the boot-up messages are visible. Mandrake defaults to hiding them with splash=silent. The old way (just text) is splash=none.
• panic=60 -> so that, if there is a crash, the system will try to reboot after 60 seconds. Useful if unattended. (We could also install the watchdog).
• acpi=off -> this would be used if we want APM rather than ACPI. To have ACPI, no entry is required.
• inotify -> so that inotify is enabled, which allows KDE's volume manager to detect changed media (eg CDROMs or USB-keys.)
• vga=794 -> so that the console uses a much higher resolution, which makes it far more pleasant. (To see which modes are possible, run hwinfo --framebuffer, then convert it using this table.)

image=/boot/vmlinuz-2.6.12-12mdk-i586-up-1GB
        label="2612i586up1GB-12"
        root=/dev/hda5
        initrd=/boot/initrd-2.6.12-12mdk-i586-up-1GB.img
        append="resume=/dev/hda6 splash=verbose panic=60 inotify"
        vga=794

• Permit the root user to access your normal xsession: run (as yourself) xhost local:root
• Invoke the GUI application directly: sudo xclock
• Use the sux wrapper script instead of su, to transfer the X credentials.

• Official - this is the "stable" release. Recommended for servers.
• Devel = Community - this is the slightly more bugfixed and updated system (and is required by some PLF packages). Recommended for desktops.
• Cooker = Bleeding edge, and usually broken! Recommended only for Mandriva developers.

• Main = the 3-6 CDs you download. (Core distribution).
• Contrib = packages built by other volunteers - over 2GB of useful stuff, but not officially in the main distribution.
• PLF = "Penguin Liberation Front" - packages that might cause legal headaches in some countries, mainly multimedia. PLF is split into plf-free and plf-nonfree. [Note: PLF is designed to work with Community, not Official.]
• Updates = updated packages fixing bugs and security problems. [Only official has an updates source; for devel or cooker, updates are subsumed into the other media.]

• Club Open source packages = updated packages available to MandrakeClub members. You may wish to pick and choose these rather than adding the urpmi source: if so, browse the mirror with lftp.
• Club Commercial = non-free, binary packages such as Java and Flash. These are available as RPMS from MandrivaClub; if you prefer, you can download these directly from Sun,Macromedia etc.

• 2006 RPMS - updates for many and various packages, built for Mandriva 2006.
• KDE 3.5 RPMS - packages for KDE 3.5

• main_community (ftp://anorien.csc.warwick.ac.uk/Mandrakelinux/devel/2006.0/i586/media/main)
• contrib_community (ftp://anorien.csc.warwick.ac.uk/Mandrakelinux/devel/2006.0/i586/media/contrib)
• plf-free and plf-nonfree (ftp://ftp.free.fr/pub/Distributions_Linux/plf/mandrake/free/2006.0 and mandrake/non-free/2006.0)
• SoS-KDE (http://seerofsouls.com/KDE-3.5)
• mandriva_club [Only temporarily configured, to download Java,Flash,OpenOffice2; then removed]

• urpmi bash-completion
• Pick one of:
  • cp /etc/skel/.bash_completion $HOME
  • . /etc/bash_completion in your ~/.bashrc
  • edit the file: /etc/sysconfig/bash_completion

• In all distributions , if the word is unambiguous, pressing [Tab] once will complete it.
• In Mandrake, if the word is ambiguous, pressing [Tab] once will print a list of options. (with no beep).
• In most other distributions, if the word is ambiguous, pressing [Tab] once will just beep at you. You have to press [Tab] twice to get the completion options. This rapidly gets irritating, and causes lots of beeping!

# Show all if ambiguous.
set show-all-if-ambiguous on

• Typing 'help' will give a guide to the bash builtins. 'info bash' or 'man bash' are extremely useful; reading the man page in konqueror ('man:/bash') is easier.
• Here is a useful reference: the Advanced Bash Scripting Guide. (Also, a list of special characters and string functions )
• Mandrake defines a lot of helpful aliases, such as 'cd..' and 's'. Type 'alias' to list them.
• Keyboard shortcuts in bash/readline are described in info bash "Command Line Editing" or man readline. There are very many: here are some of the most useful:

  Shortcut key	Function
  Ctrl-a,Ctrl-e	Move to start,end of line
  Ctrl-b,Ctrl-f	Move back/forward one character
  Alt-b,f	Move back/forward one word
  TAB	Smart completion (within uniqueness) of command or filename
  Alt-/	Force completion on filename (override smart completion).
  Ctrl-u,k	Cut ("kill") from cursor to start/end of line
  Ctrl-w,Alt-d	Cut from cursor to previous whitespace,end of word
  Ctrl-y	Paste ("yank") previous cut text
  Ctrl-_	Undo previous edit
  Ctrl-l	Clear screen (except for current line)
  Ctrl-r	Reverse-search through history

• Quoting.
  • Single quoted phrases in bash are literal. Within sinqle quotes, you may never use another single-quote, not even with a preceeding backslash (\'). See QUOTING in the bash manpage
  • Double-quoted phrases in bash treat $, `(backtick), and \(backslash) specially. Double-quoted doublequotes may be escaped by \". Beware of ! characters within interactive shells: echo "Oops!" will cause an error.
  • Conatenation is allowed: TEXT="What's your name?\n"'My name is "Richard"'; echo -e $TEXT
  • Without quoting, filename globbing takes place. *, ? and [...] have special meanings: see PATTERN MATCHING in the manpage.
• Globbing is the process by which special characters are expanded to match filenames. For example ls *.jpg lists all files ending in .jpg. But consider what happens when there are no matches. By default, bash falls back to a literal '*'. shopt -s failglob makes it throw an error; shopt -s nullglob makes it result in the empty string. All choices are problematic - consider:
  • i=0; for file in *ZZZ; do let i++; done; echo "There are $i files matching '*.ZZZ'" when there are no relevant files. Without failglob/nullglob, this will give the answer '1' when it should be zero. nullglob is best.
  • ls *ZZZ. The default (neither nullglob nor failglob) results in "ls: *ZZZ: No such file or directory". However, with nullglob, it becomes just ls, listing the entire directory.
• $IFS is the input field separator. By default, it is <space><tab><newline>. Any of these characters are treated as delimiters when tokenising input. For example:
  set `echo "first second"` ; echo "\$1 is '$1' and \$2 is '$2'" results in $1 is 'first' and $2 is 'second', whereas
  IFS=':'; set `echo "first second:third"` ; echo "\$1 is '$1' and \$2 is '$2'" results in $1 is 'first second' and $2 is 'third'.

• [2.4.1] Fix the timeout for mounting encrypted filesystems on boot-up. It should wait a long time.
  Edit the line just above the comment: #Mounting Encrypted filesystem
  and change the timeout to 600. The correct line reads:
  [[ -z $AUTOFSCK_CRYPTO_TIMEOUT ]] && AUTOFSCK_CRYPTO_TIMEOUT=600
• [2.4.2] Fix rc.sysinit so that, if you get the passphrase wrong, it asks you again...and again (10 times).
  Edit the section which begins: #Mounting Encrypted filesystem
  
  Replace this part of the script:
  

  echo "We have discovered Encrypted filesystems, do you want to mount them now ?"
  MSG=`gprintf "Press Y within %%d seconds to mount your encrypted filesystems..."`
  KEYS=`gprintf "yY"`
  if /sbin/getkey -c $AUTOFSCK_CRYPTO_TIMEOUT -m "$MSG" "$KEYS"; then
  	echo -e '\n'
  	for i in ${encrypted};do
  		echo -n "${i} "; mount ${i}
  	done
  else
  	echo -e '\n'
  fi

  [download]
  
  with this new version:
  

  echo "We have discovered Encrypted filesystems, do you want to mount them now ?"
  MSG=`gprintf "Press Y within %%d seconds to mount your encrypted filesystems..."`
  KEYS=`gprintf "yY"`
  if /sbin/getkey -c $AUTOFSCK_CRYPTO_TIMEOUT -m "$MSG" "$KEYS"; then
  	echo -e '\n'
  
  	#We *really* don't want to boot up without this mounting successfully, so give
  	#10 chances for the user to type the passphrase.  If there is more than one
  	#encrypted partition, try the same passphrase before making the user re-type it.
  
  	unset crypto_passphrase
  	for i in ${encrypted}; do
  		failcount=0
  		while [ $failcount -lt 10 ]  ;do
  			if [ -z "$crypto_passphrase" ];then
  				read -s -p "Enter passphrase for encrypted partition(s) ${i}: " crypto_passphrase
  				echo -e '\n'
  			else
  				echo "Trying the same passphrase for encrypted partition ${i}"
  			fi
  			echo "$crypto_passphrase" | mount -p0 ${i} ; result=$?
  			if [ $result == 0 ];then
  				echo "Successfully mounted encrypted partition ${i}"
  				break
  			else
  				let failcount++
  				echo "Failed to mount ${i}; used $failcount attempt(s) out of 10 allowed."
  			fi
  			unset crypto_passphrase
  		done
  	done
  	unset crypto_passphrase
  
  	else
  	echo -e '\n'
  fi

  [download]
• [2.4.3] Fix the section beginning with: Check loopback filesystems, so that it doesn't check filesystems which are both loopback AND encrypted.
  It should read:
  

  # (pixel) Check loopback filesystems
  	if [ ! -f /fastboot ]; then
  		modprobe loop
  		gprintf "Checking loopback filesystems"
  		#Fsck -T -R -A -a -t opts=loop $fsckoptions
  		Fsck -T -R -A -a -t opts=loop,noopts=encrypted $fsckoptions
  	fi

  [download]
• [2.4.4] Side effect: service udev status is untruthful
  udev is started very early by rc.sysinit, before /var is mounted. service udev start tries to save the status by touching /var/lock/subsys/udev. This failure is harmless, but it will mean that service udev status wrongly claims that udev is stopped when it isn't. To check the truth, use pgrep udevd instead. If desired, add this to rc.sysinit immediately after mounting /var (in section 2.4.2 above):
  

  #Udev has already been started, but the lockfile hasn't been created, because /var wasn't mounted at that time.
  	[[ -d /var/lock/subsys/ ]] && pgrep udevd >/dev/null 2>&1 && touch /var/lock/subsys/udev 2>/dev/null

  [download]

• This now works. Test it by comparing the result of cat /dev/hda9 | strings with what you would usually see. It is gobbledegook!
• Don't use diskdrake to set up encryption: it won't work, and it won't allow you to encrypt /var anyway.
• As a consequence of /var being on a separate partition, and the need not to waste disk space, postgresql may need to live in /home rather than /var/lib/pgsql/.
• Remember to lock the screen if you use a screensaver!
• See note below on suspend to RAM.
• Keep a copy of your new /etc/rc.d/rc.sysinit, because if you upgrade or update with urpmi, it will be overwritten by the defaults. In order to prevent this occuring, add this to /etc/urpmi/skip.list:

  #Keep modified rc.sysinit for mounting encrypted partitions at boot.
  initscripts

  [download]

#Start the device-mapper for the encrypted partitions using dm-crypt.
#Prompt for the passphrases as required.
#Do NOT boot until the correct passphrases have been supplied.
modprobe dm-crypt >/dev/null 2>&1
service cryptdisks start

1. Find out which xorg packages are installed: rpm -qa | grep -E 'xorg|X11R6'. I had the following:

   xorg-x11-6.9-1.cvs20050915.2mdk xorg-x11-server-6.9-1.cvs20050915.2mdk libxorg-x11-6.9-1.cvs20050915.2mdk libxorg-x11-devel-6.9-1.cvs20050915.2mdk xorg-x11-xfs-6.9-1.cvs20050915.2mdk xorg-x11-100dpi-fonts-6.9-1.cvs20050915.2mdk xorg-x11-75dpi-fonts-6.9-1.cvs20050915.2mdk xorg-x11-xauth-6.9-1.cvs20050915.2mdk xorg-x11-Xprt-6.9-1.cvs20050915.2mdk X11R6-contrib-6.9-1.cvs20050915.2mdk.i586

2. Download these from http://seerofsouls.com/RPMS-2006/. I didn't set this as an urpmi source because I don't want to pull in all the upgrades from here.
3. Install the packages with urpmi:

   urpmi ./xorg-x11-6.9.0-1.2006.SoS.i586.rpm ./xorg-x11-server-6.9.0-1.2006.SoS.i586.rpm ./libxorg-x11-6.9.0-1.2006.SoS.i586.rpm ./libxorg-x11-devel-6.9.0-1.2006.SoS.i586.rpm ./xorg-x11-xfs-6.9.0-1.2006.SoS.i586.rpm ./xorg-x11-100dpi-fonts-6.9.0-1.2006.SoS.i586.rpm ./xorg-x11-75dpi-fonts-6.9.0-1.2006.SoS.i586.rpm ./xorg-x11-xauth-6.9.0-1.2006.SoS.i586.rpm ./xorg-x11-Xprt-6.9.0-1.2006.SoS.i586.rpm ./X11R6-contrib-6.9.0-1.2006.SoS.i586.rpm

4. Get the updated packages from the community mirror. urpmi.update -a; urpmi --auto-select
5. Log out. Then restart X: service dm stop; service xfs restart; service dm start

• xrandr is invoked: xrandr -s [NUMBER] and allows you to re-size the entire desktop. (xrandr is "X rotate and resize")
• krandrtray is invoked: krandrtray and is a KDE system-tray GUI for xrandr.
• arandr is a graphical version of xrandr, that runs on various desktop environments.
• xvidtune is invoked: xvidtune -next and changes the "viewport" onto the desktop. For example, an 800x600 viewport which can be panned around on top of a 1600x1200 desktop.

1. Make sure that the mode (such as 1024x768 or 800x600) is working on the internal LCD.
2. Plug in the projector, and use Fn-F7. If both LCD + Projector are enabled, then with some projectors, there may be problems with timing errors. (The symptoms are: Distortion/Flickering; LCD monitor may complain about timing frequencies; Projector may fail to display anything, or mis-sync giving a "sliced" image). If so, use Fn-F7 again to have only the projector: of course, this means that there is no 'Autocue', so have a printout of the slides available!
3. Use xrandr -s 800x600 to resize the desktop as necessary to fit onto the projector.
4. Give the presentation. NB: practice in advance; text not too small; test projector in advance; have printout of notes; check timing; speak slowly; be calm.

• Add the DisplaySize line to /etc/X11/xorg.conf:

  Section "Monitor"
      Identifier "monitor1"
      VendorName "Generic"
      ModelName "Flat Panel 1600x1200"
      HorizSync 31.5-90
      VertRefresh 60
      DisplaySize 304 228     # <-- Added by rjn to sort out tiny fonts - these are width, height in mm
      ....
  EndSection

  [download]
• Change the dpi line in /etc/X11/Xresources to:

  Xft.dpi: 133

  where 133 is the value of xdpyinfo | grep resolution.
• Unfortunately, the gnome-font-properties program (which configures GTK applications) does not respect the value from the X-server. Start gnome-font-properties, click 'details', and manually change the resolution from 96 dpi to 133 dpi.

1. We can discover which mouse we want by doing cat < /dev/input/mouseX and wiggling the mouse. In this case, it happens to be /dev/input/mouse0
2. We want to create a udev rule to symlink /dev/input/trackpoint -> /dev/input/mouse0
3. Find out about the device with udevinfo: udevinfo -a -p /sys/class/input/mouse0
4. Add the following to /etc/udev/rules.d/10-local.rules:

   #Symlink the relevant /dev/input/mouseX by /dev/input/trackpoint:
   BUS=="serio", kernel=="mouse*", SYSFS{description}=="i8042 Aux Port", NAME="input/%k", SYMLINK="input/trackpoint"

   [download]
5. Modify xorg.conf to refer to /dev/input/trackpoint rather than /dev/input/mice
6. Reboot (since the PS/2 port doesn't like hotplugging)

• If multiple mice are now needed, the ServerLayout section should have one "CorePointer" and the others to "SendCoreEvents".
• For the A22p, it is also valid to use /dev/psaux for the trackpoint device.
• Note: we don't want /dev/input/eventX nor do we want /dev/input/tsX, since these can cause subtle errors.
• If the Xserver fails to start, Mdk will 'helpfully' re-detect the mice, and over-write your carefully constructed file. So keep a copy!

• Button 1 = ordinary Left-click
• Button 3 = ordinary Right-click
• Button "X" = ordinary Middle-click (i.e. paste.) [Button X is achieved by pressing btn1 and btn3 together]
• Button 2 + move trackpoint = Vertical AND Horizontal scroll

• Emulate3Buttons on: this means that (Button 1 + Button 3) => emulated middle button.
• EmulateWheel on: this means that Button 2 + move mouse => emulated scroll wheel
• EmulateWheelTimeout = 0: this means that Button 2 does not generate middle-clicks. Only Button X does.
• YAxisMapping = "6 7": Vertical scroll generates a series of button 4,5 events, which the application treats as a vertical scroll.
• XAxisMapping = "4 5": Horizontall scroll generates a series of button 6,7 events, which most applications treat as a horizontal scroll.
• No, that's not a mistake: it cancels another bug, namely the existence of /etc/X11/xinit.d/mouse_buttons which swaps buttons 4<=>6 and 5<=>7

• Horizontal scrolling is misinterpreted as forward/back in Mozilla. See below for fix.
• Newer Thinkpads have 3 buttons in a row. As of Xorg-6.9, they can use EmulateWheelTimeout, to allow Button 2 to be *both* scroll and middle-click. This works extremely well, except for a few applications (xfig,pcb) which use middle-button drag, so cannot coexist with EmulateWheel. [For older versions of X, see here for alternatives.]
• The mouse options are documented in man (4) mouse. [But there is sometimes another mouse manual page of the same name documenting the electronic protocol for mice. To get the right man page, use: man /usr/X11R6/man/man4/mouse.4x.bz2]
• For testing, use xev to identify button presses and xmodmap -pp to show the button mapping.

• The X and Y axes were switched (i.e Option "YAxisMapping" "4 5" Option "XAxisMapping" "6 7") because /etc/X11/xinit.d/mouse_buttons didn't work.
• EmulateWheelTimeout had no effect. It was stuck on the default 200ms.
• The ZAxis mapping to some non-existent buttons was needed.

• Either use xmodmap, by including this in ~/.kde/Autostart/kde-startup.sh:

  #Get rid of Caps Lock and make it into an additional Control Key.
  xmodmap -e "remove Lock = Caps_Lock" \
          -e "keysym Caps_Lock = Control_L"    \
          -e "add Control = Control_L"

  [download]
• Or: use the KDE control center: Accessibility->Keyboard Layout->Xkb Options->Make CapsLock an additonal Control

• Meta is (roughly) Emacs-speak for Alt. Sun keyboards have Meta, whereas PC keyboards have Alt.
• AltGr (Right_Alt) is AlternateGraphic for other characters such as μ, which is entered as AltGr + m.
• Compose is an alternative way to get composite characters. Eg © is entered with the sequence Compose, o, c. However, (unless using Unicode), it only duplicates the functionality of AltGr and isn't really required.
• Super is often mapped to the Windows-key [which isn't present on ThinkPads], and is usually used for extra Window-manager functions and custom global program-shortcuts.
• Hyper is also sometimes, but uncommonly used. It may be mapped to the Menu key [not present on ThinkPads].
• Mod1 - Mod4 are the internal names used by the X-server for the modifiers: up to 4 are allowed. Usually, Mod1 = Alt/Meta; Mod2 = NumLock; Mod3 = AltGr (= KDE 3rd level), and Mod4 is free.
• Space Cadet Keyboards have all of the above, and can enter 8000 characters! Of course, this leads more to parody than to usabilty!

• Fn-F7 switches between LCD, LCD+CRT, CRT. But if you are in a virtual console, the LCD is blank in LCD+CRT mode. Under X, the LCD works as expected.
• Switch on screen expansion in the BIOS. Otherwise, 800x600 will only use the central quarter of the screen!
• LCDs look horrible at non-native resolution. But it's much better for games since it reduces the CPU-load, and allows a higher frame-rate. Eg tux-racer at 640x480.
• There was (in 9.1) a bug in the r128 driver which caused occasional lockups with 3D GL things. This appears to have been fixed, but for reference, here is the information.
• The xev (XEvent) program is very useful to see what is going on - it prints keycodes/keysyms/button-press diagnostics to the screen.
• xmodmap allows you to change particular keyboard and mouse-button mappings.
• setxkbmap gb allows you to set default keyboard mappings. Useful if you did something stupid with xmodmap!
• xbindkeys allows you to define key-combinations to launch programs.
• xclip copies and pastes from stdin/out to/from the clipboard.
• xmacro lets scripts generate key/mouse events. (eg: echo -e "KeyStr Z\n" | xmacroplay :0)
• For the PC-speaker, or Bell see sound.

• Shift-Numlock: turn mouse emulation on or off.
• 82,46,7913: move mouse pointer up,down,left,right,diagonally.
• 5: press the mouse button.
• ÷, ×, −: select which mouse button is emulated by pressing 5 (respectively: left,middle,right).
• +, 0: double-click, click-and-drag

1. Get the latest xorg .src.rpm from the SRPMS/ directory on the mirrors. I used the one from SeerOfSouls: xorg-x11-6.9.0-11.1.20060.SoS.src.rpm.
2. Install with rpm -i.
3. Get this patch (attached to comment #8 on the xorg Bugzilla).
4. Apply it to the source:

   
   cd /usr/src/RPM/SOURCES/
   mkdir TMP; cp  X11R6.9.0-src.tar.bz2 TMP/; cd TMP
   tar xvzf X11R6.9.0-src.tar.bz2
   cd xc/programs/Xserver
   patch --verbose -p0 < /home/rjn/xorg-hack/mousepatch.4318.patch
   cd ../../..
   tar cvfz X11R6.9.0-src.tar.bz2  xc
   mv  cvfz X11R6.9.0-src.tar.bz2 .. ; cd ..
   

5. Now build the RPM: cd /usr/src/RPM/SPECS; rpmbuild -bb xorg-x11.spec
6. Finally, the RPMS will be in /usr/src/RPM/RPMS/i586: install the packages as desired.
7. Now, clean up or there will be over a GB of wasted disk space! When the rpm tool installs a .src.rpm, it merely unpacks its source into the /usr/src/RPM/SOURCES directory. Thereafter, it isn't listed by rpm -qa, and cannot be removed with rpm -e. So, some judicious use of rm -rf in the directories /usr/src/RPM/SOURCES and /usr/src/RPM/BUILD is required.

• Bitmap fonts. (75dpi, 100dpi). These are the old-style X fonts, and cannot be scaled. They also cannot be printed. However, they look excellent on screen, iff they are displayed at their native size. Only certain point-sizes are available, and these fonts cannot be anti-aliased. (Eg Helvetica 8,9,13pt look excellent; 11pt looks poor, 10,12pt are unavailable)
• True-type (scalable) fonts. These fonts are the "modern", resizable ones, which look curvy. The outlines are generated from vectors, and mapped onto a pixel-grid. However, how exactly should the fonts be scaled to match the pixels?
  • Scale, but don't anti-alias. Each pixel is either black or white. This means that the font is sharp, and easy to focus on, but the coarse pixellation usually results in a horrid, "spidery" effect with jagged outlines. This is the well-known "bad Arial fonts on Linux" problem. Here's a sample comparison: left = {non-antialised, hinted font, good}; right = {non-antialised, non-hinted font, bad}.
  • Scale and anti-alias. "Fudge" the curves by setting the intermediate pixels to varying shades of grey. This blurs the edges of the font, creating a smooth outline which is (on average) faithful to the original vector. For very large fonts (in headlines), and fonts used in images, it looks good. But for normal text, it is a matter of taste. Some people like the smooth edges, but I personally find them blurry, and "out of focus" - and they give me eye strain! (It's not quite so bad on this wonderful 133dpi monitor of the ThinkPad, but dreadful anywhere else). Sub-pixel rendering is a possible solution: it uses the 3 coloured pixels of the LCD to triple the horizontal resolution of the anti-aliasing. But the result is colour-fringing of the fonts. If you look at the result using xmag/kmag, you will see what I mean! However, some people do really like this smoothing effect. The Bitstream Vera (or DejaVu) fonts are the best for this.
  • Use properly "Hinted" fonts and don't anti-alias. Hinting means that when the font is scaled, instead of keeping its shape perfectly the same, it is carefully distorted to fit better over the pixels. The result is that the font face looks slightly different, but it is always sharp, and free from ugly artifacts. (For example, the letter "e" sacrifices its "Times-New-Roman-nature" in favour of clarity.) These correctly hinted fonts do not need anti-aliasing (and anti-aliasing often makes them worse at small sizes). The Microsoft fonts are best for this. [For interest, here's a comparison of Microsoft's and Apple's different approaches to smoothing.]
  • Lastly, when the font is very large (eg > 15 pt or used in an image), anti-aliasing makes the edges less jagged, without harming readability.

Here are some images of the different fonts. Try enlarging it with xmag/kmag to see the details [not firefox-zoom, which will antialias]. More examples are here (scroll down).

Bitmapped: (clear, but un-scaleable)		<- For terminals
True Type, non-antialiased: ("spidery")		<- The problem
True Type, antialiased: (correct average shape, but blurred)		<- The standard solution
True Type, hinted: (slightly distorted shape, but it is clear)		<- My preference
TTF, hinted, antialiased: (not quite so good)		<- Combination

• Install the Microsoft corefonts (which are free-as-in-beer). These are very well hinted.
• Install the plf version of libfreetype6.
• Set up the applications to use the new fonts.
• No half-measures: a compromise will be much worse than either extreme!

1. Take a screenshot of how things look now (with ksnapshot) for later comparison.
2. Install the Microsoft Core Fonts. Before I wiped out Win98, I kept a tarball of C:\Windows\fonts\. Install the .ttf files, (but not the .fon files) using either the Mandrake Font Installer (in Mandrake Control Center), or KDE's font installer (KDE->kcontrol->System->Font Installer). Alternatively, there are the Microsoft webfonts which are free (as in beer), which can be downloaded from sourceforge.
   Tahoma isn't necessarily included in corefonts, but it is available for download here:

   #Install Tahoma. Download directly from Microsoft, as it isn't in msttcorefonts.
   mkdir -p ~/.fonts ; cd ~/fonts
   wget http://download.microsoft.com/download/ie6sp1/finrel/6_sp1/W98NT42KMeXP/EN-US/IELPKTH.CAB && cabextract -F 'tahoma*ttf' IELPKTH.CAB &&
   chmod 644 tahoma*  && fc-cache -v && rm -f IELPKTH.CAB && echo "Installed Tahoma"

   [download]
3. Installing a version of libfreetype with support for the Bytecode interpreter (hinting):
   1. First, download the penguin-liberation-front packages for libfreetype6 (and -devel): libfreetype6-2.1.10-8plf.i586.rpm and libfreetype6-devel-2.1.10-8plf.i586.rpm
   2. Then, install them instead of the Mandriva packages. However, urpmi won't upgrade them since the replacement version is in fact slightly earlier. If you use urpme to remove the Mandriva packages before installing the PLF ones, you'll end up uninstalling your entire system! This is one of those rare occasions when using rpm with --nodeps is justified. Find the names of the packages which are installed:
      rpm -qa | grep libfreetype
      
   3. Forcibly uninstall them, without removing packages which depend on them:
      rpm -e --nodeps libfreetype6-2.1.10-9.1.20060mdk libfreetype6-devel-2.1.10-9.1.20060mdk
      
   4. Install the PLF packages:
      urpmi ./libfreetype6-2.1.10-8plf.i586.rpm ./libfreetype6-devel-2.1.10-8plf.i586.rpm
      
   5. Prevent urpmi --auto-select from re-installing the mandriva packages. Add this to /etc/urpmi/skip.list

      #Don't mess up the libfreetype: keep the PLF packages.
      libfreetype6
      libfreetype6-devel
      libfreetype6-static-devel

      [download]
   6. Restart X (logout, service dm restart)

• This is your chosen "serif" font: abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ italic text
• This is your chosen "sans-serif" font: abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ italic text
• This is your chosen "cursive" font: abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ italic text
• This is your chosen "fantasy" font: abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ italic text
• This is your chosen "monospace" font: abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ italic text
• This is what you get for the "times" (named) font: abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ italic text

• Selecting fonts: xfontsel is useful. A font is unambiguously described by both foundry and name (and size,style...) eg: adobe-times-iso8859-1 However, in KDE, fonts are known just by their name when unambiguous e.g. Bitstream Vera Sans and with the foundry in brackets when it is required, e.g. Fixed [Misc] or Fixed [Sony]. Also, note that Times (=adobe-times-iso8859-1) and Times New Roman (= Microsoft TTF) are quite different fonts! It's also possible to use fontconfig to make substitutions, for example, so that whenever an application asks for "Arial", it actuallly gets "Tahoma". After updating the font configuration, it's often necessary to update fontconfig's cache: fc-cache -v.
• For desktop users, with antialiased fonts and LCD monitors without DVI: LCD monitors auto-adjust by aligning their clock with vertical lines in the image. But, if all the fonts are antialiased, there are no hard edges to crunch on, and the monitor calibration is often poor. Here is a 1280x1024 chessboard: view it at 100% size, then press audo-adjust on the monitor.
• The point is a unit of length, defined as 1 point = 1/72.27 inch; in computing, it is usually redefined to 1/72 instead. A 10-point font means that that the full height of a row of text is 10 points. The "em" is the height of an 'M' or the width of an 'm' in that font. [For example: at 96dpi, 12pt = 16 px; at 133dpi, 10pt = 18px]
• The GIMP freefonts are good, and may be downloaded from here. Also, myfonts.com have a large number of fonts available for preview.
• Summary: it's all about personal choice. If you get used to AA, then switching back to non-AA feels a bit weird for a while. Likewise, vice-versa.

• Revert to "core" (X-default) cursor-theme, or
• De-select the GL screensavers in xscreensaver-demo, or
• Kill and restart xscreensaver every time it unblanks.

#!/bin/bash
#Xscreensaver on Rage128 Mobility card with any cursor-theme other than core messes up the cursor. It is borked
#if last xscreensaver process was a GL one. So kill/restart xscreensaver every time it unblanks.

while : ; do
        echo "Starting xscreensaver; monitoring for unblank..."

	#Watch the xscreensaver status. When unblanking, the line will begin 'UNBLANK'
        xscreensaver -verbose -no-capture-stderr -no-splash 2>&1 | while read LINE; do
                if echo $LINE | grep 'unblanking screen at' &>/dev/null 2>&1 ; then

			echo "Unblank detected. Killing xscreensaver..."
                        killall xscreensaver
                        break;
                fi
        done
done

• Most applications (eg mplayer, amarok, vlc) can do this: simply set the output plugin to be alsa.
• Even the KDE sound server can output to Alsa. (But see below).
• Some applications only understand OSS. (eg /usr/bin/play). In these cases, use aoss to intercept the call to /dev/dsp and redirect it to ALSA. eg aoss /usr/bin/play Beethoven5.ogg [Actually, play itself is just a script, and can be edited to include the aoss anyway.]
• QEMU doesn't work with aoss, so it has to have the sound card to itself.
• CD playback can be done digitally, via alsa (eg by alsaplayer,kscd,vlc) or directly through the sound card.

• kcontrol->LookNFeel->System Notifications->Player Settings->Use external player.
• External player is sox_aplay.sh
• In ~/bin/, I have the following script named sox_aplay.sh:

  #!/bin/bash
  #Play audio file immediately (avoid arts startup delay). Volume decreased to 0.4
  sox "$1" -t wav -v 0.4 - | aplay
  
  #Note: in newer versions of sox, the argument order is different; use this instead:
  #sox "$1" -t wav - vol 0.4 | aplay

  [download]

• Start gnome-alsamixer
• Make sure that all 3 of the Mic and ADC and Capture controls are set to Record.
• Mute the Mic input (the speaker icon should be greyed out). This prevents feedback (unless you are using headphones)
• Optionally, enable the Mic boost (+20dB). This gives much greater sensitivity at the expense of some extra hiss.
• It should now work. Try using the command: record -i mic and you should be able to see the left and right levels move up and down. If so, it's working!
• An alternative is to use the alsa program arecord thus: arecord -f cd -t wav -D front outfile.wav
• amixer can be used to turn on the required mixers:

  amixer sset 'Mic Boost (+20dB)' on	#Enable the Mic boost
  amixer sset 'Mic' mute			#Mute the Mic
  amixer sset 'Mic' cap			#Set the Recording source to Mic
  amixer sset 'Capture' cap		#Set the Capture device to record
  amixer sset 'ADC' cap			#Set the ADC to record

  [download]

• Mplayer - plays practically everything. Run it from the command-line, or use gmplayer for the GUI, or mplayer-plugin from mozilla.
• VLC (videolan client) - also plays virtually everything. Probably the best for DVDs.
• Amarok - excellent program for enjoying .ogg and .mp3 files. [Use the xine back-end.]
• JuK - similar to Amarok; some prefer it.
• XMMS - somewhat venerable, but rapid startup, and very good for audio.
• Kmidi (GUI) and TiMidity (CLI) - for playing MIDI files.
• Alsaplayer - for playing music, and CDs. A key feature is adjustable speed playback (even reverse!)
• KsCD - CD Audio playback.
• /usr/bin/play - a wrapper for sox, which plays sound files.
• festival, espeak, mbrola - speech synthesis programs.
• play,rec,cdp,cdplay,ogg123,mpg123,sox,aplay - useful command-line programs.

• To set up your own audio (or video) stream, use VLC/ It's surprisingly easy; here's the howto.
• To listen to a real-audio stream, use mplayer or realplayer. See below.
• Here is how to record from internet audio streams.
• It is also worth mentioning last.fm (personalised radio), which requires the latest version (1.4.1) of Amarok.
• Another collaborative filtering system is iRate.

• Ensure that no level is set to maximum. This includes the hardware volume control (from the volume buttons). 90% is fine.
• Mute every unneeded control. (Mic, IEC958Input).
• Set 3Dcontrol-switch to ON, but the sliders to 0. No idea why this helps!
• Increase signal-noise ratio by keeping the software mixers high (90%) and controlling the sound level with the hardware volume control.

• lspcidrake -v | fgrep -i AUDIO will tell you which driver your card uses by default.
• grep sound-slot /etc/modprobe.conf will tell you what driver it currently uses.
• /sbin/lsmod will enable you to check if its module (driver) is loaded or not.
• /sbin/chkconfig --list sound and /sbin/chkconfig --list alsa will tell you if sound and alsa services are configured to be run in this level.
• aumix -q will tell you if the sound volume is muted or not.
• /sbin/fuser -v /dev/dsp (as root, if necessary) will tell which program uses the sound card (in OSS-mode). Programs which access the soundcard via ALSA (rather than by writing to /dev/dsp) will not show up here.
• /sbin/fuser -v /dev/snd/* (as root, if necessary) will tell you which programs are currently outputting sound to ALSA.
• Don't forget to check whether sound is also muted in hardware (use the volume buttons), or in the application itself.

1. Ensure you have the source for your current kernel installed. (see below).
2. Download and run the scanModem for information.
3. Download the source package: ltmodem-8.31b1.tar.gz.
4. Untar, and change into the directory: tar xvzf ltmodem-8.31b1.tar.gz; cd ltmodem-8.31b1
5. Become root.
6. ./build_module to compile the module. [don't try ./build_RPM, since it has specfile problems.] Repeatedly press Enter. This results in the modules: ltmodem.ko and ltserial.ko.
7. ./ltinst2 to install the modules. (This fails to complete the first time; don't worry, it will succeed in a moment)
8. cd source; make mdk_install; cd .. This succesfully installs the modules in the destination.
9. ./ltinst2 Finish the installation.
10. ./autoload Make the modules load automatically at boot time. (Adds ltserial to modprobe.preload)
11. ./checkout Finish.
12. /dev/modem is now a symlink to /dev/ttyLTM0 Test it by querying the modem with kppp.

1. Download martian240206.tar.gz.
2. Untar. Read the README.
3. In the driver/ directory, do make clean; make; make install.
4. Add martian_drv to /etc/modprobe.preload.
5. In the helper/ directory, do make; make install.
6. Run /usr/sbin/martian_helper /dev/MODEMNAME. This creates /dev/MODEMNAME, which talks to martian_drv, which in turn talks to the modem.
7. Add this to /etc/rc.local:

   echo "Starting martian_helper on /dev/modem (unless ltserial is loaded)"
   /sbin/lsmod | grep -q ltserial || /usr/sbin/martian_helper /dev/modem  >/var/log/martian_helper 2>&1  &

   [download]

• Use /dev/modem
• Use Dynamic IP. Do NOT "Auto-configure hostnamefrom this IP"
• Default gateway. Assign the default route to this gateway
• Disable existing DNS servers during connection
• BUG: Kppp fails to actually assign the default route during the connection. So, in Accounts->Execute, add:
  • Before connect: sudo ifdown eth0; sudo mv /etc/resolv.conf /etc/resolv.conf.kppsave; sudo touch /etc/resolv.conf
  • Upon disconnect: sudo ifup eth0
  This will work.
• Define the modem network interface for the firewall: add ppp0 to /etc/shorewall/interfaces:

  net ppp0

1. Download 1.0.4.3.arm
2. Rename it to isl3890
3. Move it to the directory /usr/lib/hotplug/firmware/
4. Eject the card cardctl eject, then physically remove and re-insert the card.
5. Now enjoy! configure with ifconfig, iwconfig, or mcc (Mandrake control center) as desired.

• When uninitialised (before the firmware is loaded), it has the bogus value 00:30:B4:00:00:00. This is not unique between cards, and it belongs to Intersil, the chipset manufacturer. [The first 3 pairs of MAC adddreses are uniquely allocated to the manufacturer; the final 3 pairs are allocated by the manufacturer to each card]
• When initialised (after the firmware is loaded), the card reports its true, unique mac address (mine is 00:09:5B:C1:3A:B1), which which is printed on the card - and belongs to Netgear, the wireless card manufacturer.
• The true mac address persists until the card is powered down or ejected, (even if the network is restarted).
• This is because the real mac address is unknown to the card until the firmware is loaded (probably, it cannot read its own mac address out of its EEPROM), /usr/src/linux-2.6.14/drivers/net/wireless/prism54/islpci_dev.c. [Credit is due to Mauro Maroni for putting me on the right track by noticing the MAC range owner - thanks.]

• Try to invoke firmware_helper in the right place with a udev rule. Unfortunately, firmware_helper is undocumented. Reading the source of udev-78/extras/firmware/firmware_helper.c provides some enligtenment: the arguments must be supplied as environment variables, but it isn't clear what the values ought to be (especially DEVPATH).
• Write a udev rule to change the MAC address to the correct one. Use a RUN= key to execute /sbin/ifconfig wlan hw ether 00:09:5B:C1:3A:B1 as soon as the device is detected. Unfortunately ifconfig refuses to do this without the firmware!
• Bring the interface up and then down again (without assigning an IP) as soon as the device is detected. This causes the firmware to be loaded, and is the best solution. We can easily do this by 'piggybacking' on the udev rule to name the wlan interface.

• The udev rules (in /etc/udev/rules.d/10-network.rules) [Note that the RUN="" command must be the full path.]:

  #PCMCIA WLAN card. This is the dummy MAC address which is used before the firmware loads.
  #We then immediately trigger a firmware load by bringing the interface up and down. 
  KERNEL=="eth*", SYSFS{address}=="00:30:b4:00:00:00", NAME="wlan", RUN="/usr/local/sbin/firmware_fudge"
  
  #This is the true MAC address. This should also match the same interface name.
  KERNEL=="eth*", SYSFS{address}=="00:09:5b:c1:3a:b1", NAME="wlan"

  [download]
• The fudge which is executed: /usr/local/sbin/firmware_fudge (remember to make this executable):

  #!/bin/bash
  echo "Fudge to load firmware: "
  /sbin/ifconfig wlan up
  echo "wlan interface brought up (without ip address assigned)"
  /sbin/ifconfig wlan down
  echo "wlan interface now down"

  [download]
• Now, the real MAC addresses can go into /etc/iftab and /etc/sysconfig/network-scripts/ifcfg-wlan.

• Failure to see any access point with iwlist wlan0 scanning means either the hardware isn't working, the driver isn't loaded, or there is no radio signal in reach.
• Failure to obtain an IP address with dhclient is usually caused by firewalling issues.
• Failure to reach the wider internet (usually, you can ping the access-point but no more) is usually caused by having the default-route assigned to the wired-ethernet device. Check this by running route. To stop eth0, do ifconfig eth0 down. (Note: ifdown eth0 won't necessarily remove the default route.)
• This is a useful shell-alias to make everything work (assuming a WEP ASCII key):

• On this laptop: iwconfig wlan0 essid "myessid" mode Ad-Hoc enc off ap 00:0e:1e:11:22:33
• On other laptops: iwconfig wlan0 essid "myessid" mode Ad-Hoc

• Hardware is initialised asynchronously. Module loading order isn't necessarily repeatable (although it usually is).
• PCMCIA and USB NICs may not be present - but load before motherboard's onboard adapter if they are.
• Interfaces are assigned consecutively by the kernel; one cannot reserve eth0 yet assign eth1.
• The wireless network above can get assigned 2 different interface names as its mac changes.

1. Create a udev rule to map the MAC address to the kernel's name. The MAC addresses can be found by looking at the output from cat sys/class/net/<INTERFACE> or ifconfig -a. (or printed on the bottom of the laptop!) Note that the MAC addresses need to be in lowercase. Also, the wlan rules needs to cover both the *bogus* MAC address and the real one. Thus these are defined in /etc/udev/rules.d/10-network.rules:

   #Create a rule for each network interface, to set up sensible, persistent names.
   
   #Internal LAN, was eth0, with driver e100
   KERNEL=="eth*", SYSFS{address}=="00:03:47:8d:da:e9", NAME="lan"
   
   #PCMCIA WLAN card. This is the dummy MAC address which is used before the firmware loads.
   #We then immediately trigger a firmware load by bringing the interface up and down. 
   KERNEL=="eth*", SYSFS{address}=="00:30:b4:00:00:00", NAME="wlan", RUN="/usr/local/sbin/firmware_fudge"
   
   #This is the true MAC address. This should also match the same interface name.
   KERNEL=="eth*", SYSFS{address}=="00:09:5b:c1:3a:b1", NAME="wlan"
   
   #USB network adapter
   KERNEL=="eth*", SYSFS{address}=="00:10:60:DF:BF:81", NAME="usblan"

   [download]
2. Fix /etc/iftab (so that the device is recognised as already-existing): modify the names of devices in /etc/iftab to reflect the new names. Check they are the right way round first! I chose to have lan and wlan, thus:

   usblan	mac 00:10:60:df:bf:81
   lan	mac 00:03:47:8d:da:e9
   wlan	mac 00:09:5b:c1:3a:b1

   [download]
   [ Note: iftab is not used during normal network startup. It is, however used by MCC, the GUI tools, and by autoconfiguration of new interfaces.]
3. Edit /etc/modprobe.conf to pair the kernel modules to the devices. The interface names must match the kernel modules:

   #The interface names match up with the kernel modules.
   alias lan e100
   alias usbnet rtl8150
   alias wlan prism54

   [download]
4. Edit ifcfg-foo so that ifconfig knows what the network settings are. For each network interface, the settings (see man ifcfg) are stored as a series of KEY=VALUE lines in /etc/sysconfig/network-scripts/ifcfg-foo where 'foo' is the name of the interface:
   • Rename the file. Eg: mv ifcfg-eth0 ifcfg-lan etc.
   • Change the 'DEVICE=' entry. Eg: DEVICE=lan
   • Make sure the MAC address is the right one. Eg: HWADDR=00:03:47:8d:da:e9
5. If using static IP addresses, edit /etc/sysconfig/network and change GATEWAYDEV=ethX to the correct interface name. This isn't relevant for DHCP.
6. Change any other files which refer to the old-style interfaces:
   • Shorewall: change the interface names in /etc/shorewall/interfaces and /etc/shorewall/masq.
   • Ifplugd: if used, modify /etc/ifplugd/ifplugd.conf
   • Change the reference to eth0 used in kppp config above.
   • Just in case: grep -inr --exclude=/etc/httpd/* eth[0123] /etc/
7. Reboot to check. [It may suffice to stop the network, rmmod all the modules, and run udevstart.]

• Uncheck the Assign hostname from DHCP address option in the Mandriva control center (mcc).
• Add the line: NEEDHOSTNAME=no to the appropriate /etc/sysconfig/network-scripts/ifcfg-DEVICE
• Hack the default to be off: it's defined in either /usr/lib/libDrakX/network/network.pm or /usr/lib/libDrakX/network/netconnect.pm

• Various zones are defined in /etc/shorewall/zones. These are typically net (the big, bad internet), fw (the firewall, this machine), and loc (the local zone, or intranet, i.e. "trusted" internal systems). For a client-only machine, use fw, not loc.
• Each interface, such as eth0, eth1 and ppp0 is assigned to a zone, in /etc/shorewall/interfaces.
• General policies are defined in /etc/shorewall/policy. Mandrake defaults to allowing all outgoing connections, but restricting inbound connections.
• Specific rules are defined in /etc/shorewall/rules. For example, to allow incoming SSH and Ping from the internet (net) to reach this machine (fw), add these lines:

  ACCEPT  net     fw      tcp     22      -
  ACCEPT  net     fw      icmp    8       -

• IP masquerading (for internet connection sharing) is configured in /etc/shorewall/masq. Note, /etc/shorewall/nat is not unused.

• Remember to firewall off all the interfaces that you use, not just eth0. This probably includes irda0, ppp0 and wlan0.
• Once the shorewall rules are established and tested, run shorewall save: this will cache the compiled rules, and it will then start up *much* faster at boot time.
• The 'optional' interface option allows Shorewall to come up without that interface being present. But you will still generally need to 'shorewall restart' after the interface is up and configured.
• Note: Bug #16917 causes /etc/shorewall/interfaces to be messed up each time a new interface is added. Remember to check and fix it if necessary.

• ifconfig - print information about, or configure a network interface. (example: ifconfig -a, ifconfig eth0)
• ifconfig eth0:1 - create a pseudo interface (eth0:1) on the same physical network connection. This can have a different IP address to eth0. Up to 9 pseudo-interfaces are supported.
• ifplugstatus - tells you whether the cable is plugged in and live. (example: ifplugstatus)
• ifup, ifdown - start and stop an interface, according to the network scripts. (example: ifup eth0)
• ethtool, (mii-tool, obsolete) - view or manipulate network interface status. Eg the link-status and speed-setting of an ethernet port. (example: ethtool eth0)
• dhclient - obtain a dynamic IP address for an interface. (example: dhclient eth0)
• ping - check whether another machine can be reached. (example: ping www.google.com, ping 72.14.207.99)
• route - which ranges of IP addresses should be routed via which device. (example: route -n, route add default gw 192.168.0.1)
• arp - display mapping between hostname/IP addresse and MAC address for devices on the local network. (example: arp, arp 10.0.0.3)
• netcat, nc, telnet - connect to (or listen to) another machine on some port. (example: nc -l -p 1234, nc localhost 1234)
• brctl - configure a network bridge, to make multiple physical interfaces act as one virtual interface. (example: man brctl)
• service network restart - restart the networking subsystem. (Also remember to restart shorewall))
• mcc - mandriva control center: GUI to configure networking.
• iwconfig - print information about, or configure a (WEP) wireless interface (example: iwconfig, iwconfig wlan essid MYSSID enc off)
• iwlist - list wireless access points (example: iwlist wlan scanning)
• traceroute - print the steps on the path from this machine to another (example: traceroute www.google.com)
• whois, nslookup, dig - find out the owner of a domain, name of an IP address, or DNS query (example: whois www.google.com, nslookup 72.14.207.99, dig +tcp @8.8.8.8 www.bbc.co.uk)
• tcpdump - (example: tcpdump -vv -i eth1)
• ethereal (now re-named wireshark) - very useful and flexible GUI for tcpdump. Allows you to view the contents of network packets. (example: ethereal)
• EtherApe - real-time network monitor GUI with impressive graphics. (example: etherape)
• fping, hping - scriptable ping, TCP/IP diagnostics. (example: fping www.example.com www2.example.com)
• iftop - network interface bandwidth monitor, like top, but for the network. (example: sudo iftop)
• netstat - list open connections and sockets on the computer. (example: netstat --inet -lp)
• nmap, nmapfe - map network, scan for open ports (example: nmap -v 192.168.0.*)
• xinetd - network-enable any program. xinetd connects stdin and stdout over TCP/IP on a defined port. (example: dinnerdogd)
• NPtcp - measure and diagnose network performance. (example: machine_1:NPtcp (and open the firewall), machine_2:NPtcp -h machine_1)
• airodump-ng - monitor (and sniff) Wifi. (example: airodump-ng [-c channel] wlan0)
• /etc/sysconfig/network - the hostname is defined here. (Also use the "hostname" command). Iff the IP addresses are static, this must also contain the IP of the gateway (eg GATEWAY=72.14.207.99) and the name of the network device connected to it (eg GATEWAYDEV=eth0)
• /etc/sysconfig/network-scripts/ifcfg-* - interface-specific settings are defined here. (Eg the IP address and netmask of eth0).
• /etc/resolv.conf - the DNS servers are defined here.
• /etc/hosts - some hostname --> IP mappings are defined here, (notably 127.0.0.1 MACHINE_NAME.DOMAIN localhost)

• Temporary change: ifconfig eth0 hw ether 00:01:02:03:04:08 (where 00:01:02:03:04:08 is the mac address you want to have). This can only be done while the interface is down, so first do service network stop (and restart the network when done).
• Permanent change (persistent across reboots): add this line to the relevant /etc/sysconfig/network-scripts/ifcfg-ethX file: MACADDR=12:34:56:78:90:ab. (lower or uppercase is unimportant).

Boot Power source	Current power source	Other condition (/proc/cpuinfo)	CPU Frequency (/proc/cpuinfo)	BogoMips	Measured performance
Battery	Battery	-	697 MHz	847	37 x 106
Battery	Mains	-	697 MHz	847	37 x 106
Mains	Mains	-	996 MHz	1993	47 x 106
Mains	Battery	-	996 MHz	1993	47 x 106
Mains	Battery	Throttled by 87%	996 MHz	1993	13 x 106
Mains	Mains	After sleep (to RAM)	996 MHz	1993	50 x 106

• BogoMips and CPU frequency are measured by the kernel at boot time, and so do not change with the current-power status.
• In my setup, the system is configured (in the BIOS) for "Automatic" power management while on battery, and "High performance" while on mains.
• Measured performance is the result of (yes & sleep 10 ; killall yes) | wc -l, rounded to the nearest million.

• cat /proc/acpi/ibm/light returns the current status of the thinklight ("off") and the available commands ("on, off").
• echo -n on > /proc/acpi/ibm/light turns the light on.

• To monitor what is happening, tail -f /var/log/acpid
• /etc/acpi/events/ contains short files linking the ACPI event eg button/sleep to the script which is to be run.
• /etc/acpi/actions/ is the directory in which these scripts (usually) live.
• To make the daemon aware of changes in /etc/acpi/, do: killall -HUP acpid.
• [Note that the function keys (Fn-Fx) do not generate acpi events until they are enabled with /proc/acpi/ibm/hotkey.]

1. Enable the hotkeys. Append this to /etc/rc.local:

   echo "Enabling thinkpad hotkeys (Fn-Fx)"
   echo -n enable > /proc/acpi/ibm/hotkey

   [download]
2. tail -f /var/log/acpid and observe what happens when Fn-F3 is pressed.
3. Create /etc/acpi/events/fn-f3:

   event=ibm/hotkey HKEY 00000080 00001003
   action=/home/rjn/bin/blink_thinklight.sh    #as above, for diagnostics

   [download]
4. killall -HUP acpid. See if it works. It does!!
5. Now, we need to actually switch off the backlight. This cannot be done with ACPI, but install radeontool (with urpmi), and test:
   radeontool light off ; sleep 2; radeontool light on.
6. The completed files:
   • /etc/acpi/events/fn-f3

     #Fn-F3 toggles the backlight.
     event=ibm/hotkey HKEY 00000080 00001003
     action=/etc/acpi/actions/fn-f3.sh

     [download]
   • /etc/acpi/actions/fn-f3.sh

     #!/bin/bash
     #Toggle the LCD backlight.
     #There is no way to read the LCD backlight status, so we must use a temporary file.
     if [ -f /etc/acpi/actions/lighton.state ]; then
     	echo "Turning off LCD backlight"
     	radeontool light off
     	rm /etc/acpi/actions/lighton.state
     else
     	echo "Turning on LCD backlight"
     	radeontool light on
     	touch /etc/acpi/actions/lighton.state
     fi

     [download]
7. Make fn-f3.sh executable, restart acpid (killall -HUP acpid) and enjoy.

• /proc/acpi/event/lm_ac_adaptor - This is broken: it is never triggered.
• /proc/acpi/event/lm_battery - this triggers actions/lm_battery.sh, which does some wizardry involving laptop_mode, but doesn't seem to do much.
• /proc/acpi/event/lm_lid - this is never triggered. I prefer that that a lid-close should merely turn off the backlight (via the BIOS) anyway.
• /proc/acpi/event/power - a 2 second press of the power button triggers this, and will cause a normal system shutdown with /sbin/poweroff. Pressing it for 4 seconds or more will force an instant poweroff (and reset) in the BIOS.
• /proc/acpi/event/sleep - see below. This is never triggered, but would crash the machine if it were. See below.

• To read the CPU speed, do cat /proc/acpi/processor/CPU/throttling
• To set the CPU speed, do echo X > /proc/acpi/processor/CPU/throttling where X is a number from 0 to 7.
• State 0 represents no throttling, i.e. 100% of full speed, and is the default.
• State 7 represents maximal (87%) throttling, i.e. 13% of full speed. This is much slower, but has lower power consumption. It will also keep the fan inactive.

• During suspend-to-ram, the machine enters a low-power state, stopping almost everything except the DRAM refresh. It can last this way for several days on battery. Resume occurs on re-opening the lid or by pressing Fn.
• In suspend-to-disk. the machine is totally powered off, and the state is saved to the swapfile. On he next boot, the kernel detects the presence of a previously running system, and does some clever gymnastics to switch into it.

1. The user (or an ACPI event) invokes /usr/bin/pmsuspend2 memory. (Invoke with -d for debug).
2. /usr/bin/pmsuspend2 is a symlink to /usr/bin/consolehelper. consolehelper invokes /usr/sbin/pmsuspend2 memory. as root, on behalf of the non-root user, who is logged in locally.
3. This sources the configuration variables from /etc/sysconfig/suspend.
4. It then executes /etc/sysconfig/suspend-scripts/suspend.control memory.
5. suspend.control then iterates over all the files in /etc/sysconfig/suspend-scripts/suspend.d invoking them with the argument "suspend". This is where the system services are shutdown, xorg is chvt'd, and the network is stopped etc.
6. suspend.control then executes an ACPI suspend by doing echo 3 > /proc/acpi/sleep.

• When testing suspend, it may well crash X or the kernel. Save your work! Run IceWM instead of KDE - it's much faster to restart. Also, a remote connection (via SSH) is very useful for debugging! Lastly, set debug=yes in /etc/sysconfig/suspend-scripts/suspend.control.
• First test: is the kernel capable of suspending? Remove PCMCIA cards, then reboot. At the lilo prompt, press Esc, then boot it into runlevel 1 with 2.6.16.20 single. Now, echo 3 > /proc/acpi/sleep, and check that it goes to sleep (and the crescent lights up.) Then, wake it with Fn. Check you can do this more than once. If so, proceed; otherwise, give up now. Note: Neither 2.6.16.20 nor 2.6.17.7 can resume more than once: the second suspend cycle always fails!
• Mandriva's own scripts in /etc/sysconfig/suspend (invoked by pmsuspend2 memory) are insufficient, and a horrific mess of bugs. A crash is guaranteed. My sleep.sh is a wrapper around pmsuspend: the most important things are chvt 1, and cardctl eject. For security, xscreensaver is configured to lock the screen.
• The killall -STOP X...killall -CONT X steps are not strictly required (they used to be vital with apm), however, they are added for extra safety: there is no way the X-server can crash if suspended. However, while X is suspended, it can be crashed by e.g.
  • chvt 7
  • xscreensaver-command (Mandriva's script starts xscreensaver in the background (with &) leading to a race-condition.)
• It is important to remove the script /etc/sysconfig/suspend-scripts/suspend.d/xfree. (Unfortunately, just renaming it to xfree.mdk will not work; it has to be deleted, moved out of the directory, or have the first non-comment line replaced by "exit"). Preserve the changes by adding suspend-scripts to /etc/urpmi/skip.list.
• [If sound does not return after suspend, then try restarting the alsa service. If alsa cannot be shutdown, then some process (possibly timidity) has a lock on the soundcard. Network applications should survive a restart of the network service, however, it seems necessary to restart it twice (pmsuspend already does it once), in order to keep a PCMCIA wireless card happy.]
• The completed files are:
  • /etc/acpi/events/sleep

    event=ibm/hotkey HKEY 00000080 00001004
    action=/etc/acpi/actions/sleep.sh

    [download]
  • /etc/acpi/actions/sleep.sh

    #!/bin/bash
    
    #This is RJN's suspend script. The most important thing is to chvt1, then SIGSTOP X before suspending. Otherwise, X won't resume!
    #The Mandriva scripts as supplied will cause X to hang. Note: the SIGSTOP-SIGCONT are just "belt and braces" (they were previously
    #essential using apm), however, if they *are* used, it is important to avoid race conditions. Avoid either starting the screensaver,
    #or chvt 7  during the time when the X-server is frozen: doing so would crash it.
    
    #This script does not co-exist with Mandriva's scripts, especially if using kill -STOP,CONT. Because suspend.control iterates over
    #suspend.d/*, it isn't safe to just rename xfree to xfree.old. It must be deleted, or modified to exit immediately. Test for this.
    for xfree in /etc/sysconfig/suspend-scripts/suspend.d/xfree*; do
    	grep -vE '^#|^[[:space:]]*$|[[:space:]]*echo' $xfree | head -n 1 | grep -Eqv '^[[:space:]]*exit'
    	if [ $? == 0 ];then		#match if the script'sfirst instruction (lines other than whitespace,comments,echo) is not "exit".
    		echo "Warning: a script /etc/sysconfig/suspend-scripts/suspend.d/xfree* exists and does not exit immediately. Please fix this."
    		exit 1 										#Stop, rather than risk a crash.
    	fi
    done
    
    echo "Sleep button has been pressed."
    
    echo "Syncing Disks"
    sync
    
    echo "Ejecting PCMCIA cards (if present)"	#This is harmless if none are present; if they are there, it is necessary to eject
    cardctl eject					#them. Otherwise, the system will hang.
    
    echo -n "Locking display(s): "				#For all users who are locally logged in, lock the display.
    who | while read line ; do				#Use xscreensaver to do this; start it for them if necessary.
    	RUSER=$(echo "$line" | awk '{print $1}')  	#Important: do NOT do this in the background (with &). Otherwise, a race condition
    	RDISPLAY=$(echo "$line" | awk '{print $2}')     #occurs between the xscreensaver-lock and the kill -STOP, which will crash X.
    	if echo $RDISPLAY | grep -q ':' ; then
    		echo "$RUSER on $RDISPLAY "
                    su $RUSER -c "xscreensaver-command -display $RDISPLAY -lock || \
                      (xscreensaver -display $RDISPLAY -no-splash & sleep 1; xscreensaver-command -display $RDISPLAY -lock)" 2>&1 >/dev/null
    	fi
    done
    echo ""
    
    echo "Switching to console 1 (chvt 1)"		#Switch to console. This is very important!
    chvt 1
    
    echo "Turning off backlight"			#On X22, the backlight doesn't turn off. On A22p, this isn't required, but is harmless.
    radeontool light off
    
    echo "Pausing X server (kill -STOP)"		#SIGSTOP X. Not always necessary, but gives extra certainty that X really can't crash.
    killall -STOP X
    
    if /etc/init.d/timidity status | grep -q running ; then 	#Must stop the Timidity service or ALSA will fail to shutdown.
        echo "Stopping Timidity"					#If that happens, ALSA won't restart, so no sound on resume.
        service timidity stop
        TIMIDITY_RESTART=true
    fi
    
    
    echo -n "Now suspending to RAM... "		#Actually do it. All the Mandriva suspend scripts (/etc/sysconfig/suspend)
    /usr/sbin/pmsuspend2 -d memory			#get invoked here. The resume scripts get invoked on resume.   (-d for debug)
    
    echo "resumed."					#Time passses....we awake. [Press the "Fn" button, or close+open lid]
    
    echo "Turning on backlight"			#Only needed on X22.
    radeontool light on
    
    echo "Continuing the X server"			#Restart X.
    killall -CONT X
    
    sleep 0.5   					#(just in case.)
    
    echo "Switching back to VT7 (chvt 7)"		#Back to X.
    chvt 7
    
    echo "Syncing disks"
    sync
    
    echo "Unblanking screensaver(s)"		#Doesn't unlock the screen, but unblanks the screen and shows the password prompt.
    who | while read line ; do   			#Otherwise, you'd never know when you needed to wiggle the mouse!
            RUSER=$(echo "$line" | awk '{print $1}')
            RDISPLAY=$(echo "$line" | awk '{print $2}')
            if echo $RDISPLAY | grep -q ':' ; then
                    su $RUSER -c "xscreensaver-command -display $RDISPLAY -deactivate"  2>&1 >/dev/null
            fi
    done
    
    
    if [ "$TIMIDITY_RESTART" == true ];then		#If Timidity was running before, then start it up again.
    	echo "Starting Timidity"
    	sleep 2					#Sleep to allow ALSA to stabilise.
    	service timidity start
    fi
    
    echo "Restarting the network"			#Restart the network - or the wifi card won't work.
    service network restart				#(It will appear ok in ifwconfig, but dhclient will silently fail)
    
    echo "Done"
    exit
    
    
    #Note: on the A22p, there is no need for any special fix for the mouse sensitivity. It remains where it was.
    #Otherwise, we'd need to do:   sudo sh -c "echo -n 255 > /sys/devices/platform/i8042/serio0/sensitivity"

    [download]
• Make sleep.sh executable, restart acpid, press Fn-F4, and cross fingers!
• Set the BIOS to not automatically suspend on lid-close. Sometimes, it's useful to keep the machine running with the lid shut; also it prevents a possible race-condition between starting the suspend-script above, and triggering a BIOS suspend by closing the lid. ALSO, ensure that there is NO ACPI event defined to suspend on lid-close.
• You may also wish to configure klaptop to automatically suspend on low battery - but only if you trust suspend!.
• Note: the screensaver only protects the X-session. If there are any logins on the virtual consoles, this is not secure. See above.

• /dev/camera_e300 -> /dev/sdX1
• /dev/usbkey -> /dev/sdY1

1. Find the relevant device. For example, use dmesg to find the relevant device. In the case of USB storage, this would be /dev/sdX1 for the correct X.
2. Obtain the udev information on this device. Either find the entry in /sys or use the entry in /dev. Use one of:

   udevinfo -a -p /sys/block/sda/sda1      #look up path in /sys
   udevinfo -a -n /dev/sda1                #look up device name in /dev
   

3. This will give several paragraphs; use the information from any one block. (You can also narrow it, by using one more block, by using plurals (eg "KERNELS"). We then create the udev rule, for example.

   BUS=="usb", SYSFS{manufacturer}=="OLYMPUS", SYSFS{product}=="E-300", KERNEL=="sd?1", NAME="%k", SYMLINK="camera_e300"

4. Here, we have several key-value pairs. Those with "==" are comparisons, which must all be satisfied. The assignments (with "=") are the operations. So, this rule means: "If a new device is found on the USB bus, with manufacturer "OLYMPUS" and product "E-300", and the kernel would want to assign it device /dev/sdX1, then create the entry in /dev which the kernel would already have picked; also create the symlink /dev/camera_e300."
5. Save the rule into /etc/udev/rules.d/10-local.rules.
6. Now, make udevd aware of the new rule. For a recent kernel, using inotify, the rule will automatically be picked up. Just unplug and replug the device. Alternatively, run udevtrigger, or (less optimally), udevstart. If inotify is disabled, use udevcontrol reload_rules . [Note: Mandriva 2006 doesn't have udevtrigger, nor a recent udevcontrol.]

1. Plug in the camera. Run dmesg to find the device (/dev/sdX1), and then obtain the udev information on it with udevinfo -a -p /sys/block/sda/sda1.
2. Use the information in any one block to define the camera. This is my udev rule in /etc/udev/rules.d/10-local.rules:

   BUS=="usb", SYSFS{manufacturer}=="OLYMPUS", SYSFS{product}=="E-300", KERNEL=="sd?1", NAME="%k", SYMLINK="camera_e300"

3. Make udevd aware of the new rule, then plug in the camera. When the camera is plugged in, /dev/camera_e300 is automatically created.
4. Create the mountpoint mkdir /mnt/e300 and add this to /etc/fstab:

   /dev/camera_e300 /mnt/e300 vfat pamconsole,ro,noexec,noauto,iocharset=iso8859-15,noatime,dmask=0022,fmask=0133 0 0

5. Some of the mount options are interesting: pamconsole means that the device is always owned by the physically logged-in user (so I don't need to become root to mount and unmount it); ro is because the computer should never modify the camera's file system; noauto prevents the filesystem from being mounted at boot time; dmask and fmask create sensible default permissions for the files (FAT doesn't have permissions at all, so the defaults are 777. But photographs really shouldn't be marked as executable!) Lastly, managed is not present. ("managed" denotes that an fstab entry was automatically created - and can be automatically removed.)
6. Now, I can just plug in the camera, and mount /dev/camera_e300 without even needing to be root.
7. Note that KDE will no longer pop up a dialog box. See below or bug 126208.

1. Connect printer to LAN. Find printer's default IP address. Configure eth0 temporarily to an IP in the same range. Log in to web-based printer control panel, and set a sensible static IP address for it. (Or it can use DHCP).
2. Use Mandriva Control Center to add the printer. It's a network printer on port 9100. (This is standard). Use the recommended ghostscript+hpijs driver.
3. Bookmark the printer's web interface - to check ink levels.
4. Set CUPS not to look on the network for other printers, nor to broadcast this one. (This is the "Browsing Off" setting in /etc/cups/cupsd.conf.)
5. Now, use KDE's excellent printer tool kups (as root) to configure the printer settings. I created 6 different instances of the printer, for ease of use:
   • bw_draft - greyscale, fastest. Still very good. Default.
   • bw_fine - greyscale, best quality.
   • bw_draft_duplex, bw_fine_duplex - with duplexer.
   • colour - colour
   • colour_photo - colour, photo paper.

• kprinter, kups and xpp are GUI printing tools.
• lp and lpr print files from the CLI. They can print (at least) .txt, .pdf, .ps, .jpg and STDIN.
• cancel cancels a print job. (use with -a for all jobs).
• lpq to see printer queue status.
• lpstat -a to see printer status.
• lpadmin -p [printername] -E to re-enable a printer which has decided to stop. (Note: the order of arguments is important)

• If CUPS takes ages to start, this is a manifestation of the Broken HalDaemon problem below.
• If you experience long delays, check /etc/hosts: see here.
• Note - if a print job is cancelled at the GUI, it will usually finish printing the current page, and the next one. Use the kill-button on the printer instead!
• The CUPS web interface is on http://localhost:631/.
• For further information, see linuxprinting.org.

• Viewers: gv, kpdf, xpdf,
• Editors: lyx, tex, (and openoffice, which has pdf export), xfig (output to .eps)
• Printing: lp, lpr, kprinter,
• Conversion: pdftotxt, pdf2ps, ps2ps, ps2pdf, pstops, psselect, psnup, convert, a2ps etc..

• To send and receive faxes, install efax. Edit ~/.efaxrc: set to answer after a single ring, and to use /tmp for lockfiles. There is a GUI frontend: efax-gtk, and a CLI interface fax.
• To "print" directly, use KDEPrintFax as a virtual printer.
• Don't use ksendfax: it's redundant, obsolete, and it segfaults. Also, I don't recommend hylafax here: it's very sophisticated, but unnecessarily complicated for occasional use.
• You can also use the excellent free email-fax gateway service from www.tpc.int. This is simple and reliable, but only supports outgoing faxes. A fax coversheet is prepended, which may include an advert from the operator.

• My Olympus E-300 is a usb mass storage device and works perfectly. (See above).
• It is worth mentioning that some digital cameras (mainly expensive Canon cameras) are not USB mass-storage devices. These can be accessed by using gphoto2.
• Gphoto2 also works with 'toy' digital cameras such as the 'Nisis Quickpix QP3'. Use gphoto2 --auto-detect to identify it (as an Aiptek Pencam), then use gphoto2 -P to download images.
• There is a bewildering array of digital photography applications available on Linux! I personally like albumshaper. (GWenview, F-spot, DigiKam, Gthumb, Eye of Gnome, and qiv are also useful.)
• It is possible to extract RAW images (and obtain better quality post-processing) by using dcraw. Hugin allows many photos to be combined seamlessly into a panorama. There's also some support for HDR (High Dynamic Range) images, formed by superimposing different exposures.
• Most cameras (including the E-300) now have a gravity-sensor built in, so they save the orientation inside the EXIF tags in the JPEG. The photo can be automatically, losslessly rotated, and the orientation reset, by using Gwenview/kipi-plugins, or Gthumb, or exifautotran. [Also, unless this is done, different applications will display "portrait" photos in different orientations, since some ignore EXIF tags, and some do not.]
• Image editing and compositing applications include the Gimp, OpenOffice Draw, Xfig and Inkscape. Sadly, the potentially very promising, but not yet finished Xara Extreme project has effectively failed.

1. Before starting, save a list of the currently installed packages: rpm -qa > rpms_pre_upgrade.txt. You can revert to this if necessary.
2. Remove the KDE 3.5.1 urpmi source (if you have it), and then add the seer of souls KDE 3.5.2 repository: urpmi.addmedia SoS-KDE-3.5.2 http://seerofsouls.com/mandriva/2006/i586/KDE-3.5.2/ with hdlist.cz
3. Warning #1: Bad Things will happen if you allow this upgrade to pull in upgrades to HAL and DBUS from the SoS 2006 repository. (see below for more details)
   
4. Prevent k3b from being upgraded: add these lines to /etc/urpmi/skip.list:

   #k3b because of libHal/DBUS
   k3b
   libk3b2
   k3b-dvd

5. It is not necessary (despite these instructions) to completely remove the existing KDE packages.
6. Download all the new KDE packages: urpmi auto-select --test --force
   Then, install the packages. If there are any error messages, make a note of them. urpmi auto-select
7. Logout, and restart X (service dm restart)
8. You may find at this point that KDM doesn't work, and you cannot log in to KDE. The KDM config file is no longer valid: I didn't experiment to find the exact root cause, but here is an (ugly) solution which worked:
   1. Forcibly uninstall kdm: rpm -e --nodeps kdebase-kdm kdebase-kdm-config-file
   2. Remove the kdmrc config files. This is /etc/kde/kdm/kdmrc; also remove anything RPM has helpfully left behind: /etc/kde/kdm/kdmrc.rpmnew, /etc/kde/kdm/kdmrc.rpmsave.
   3. Re-install kdm (and get a fresh, working config file): urpmi kdm
   4. Re-customise KDM from kcontrol if desired.
   5. Some enlightenment might perhaps be found in /etc/kde/kdm/README.
9. The splash screen and kmenu side-image still identify as KDE 3.4. Fix the splash screen by choosing another one from kcontrol->LookNFeel->Splash screen. Fix the menu side-image. Mandriva have hard-coded it to be /usr/share/apps/kicker/pics/kside_download.png when it ought to be /usr/share/apps/kicker/pics/kside.png. Copy the latter over the former.

1. The packages concerned are the dbus and hal ones: rpm -qa | grep -E 'dbus|hal'. The incorrect packages are those ending in .SoS, and the desired ones are those ending in mdk. We need to downgrade the packages to earlier versions.
2. Remove the unwanted SoS packages with rpm: use --nodeps, or half the system will come away with them!

   rpm -e --nodeps dbus-0.50-1.2006.SoS dbus-x11-0.50-1.2006.SoS libdbus-1_1-0.50-1.2006.SoS libdbus-qt-1_0-0.50-1.2006.SoS libdbus-glib-1_1-0.50-1.2006.SoS libdbus-1_1-devel-0.50-1.2006.SoS hal-0.5.4-2.2006.SoS libhal1-0.5.4-2.2006.SoS libhal1-devel-0.5.4-2.2006.SoS

3. Download the Mandriva 2006 packages from the urpmi media source for main. Use lftp and the medium listed in /etc/urpmi/urpmi.cfg. We need hal*.rpm, libhal*.rpm, dbus*.rpm, and libdbus*.rpm, Then install them with urpmi:

   urpmi ./dbus-0.23.4-5.1.20060mdk.i586.rpm ./dbus-x11-0.23.4-5.1.20060mdk.i586.rpm ./libdbus-1_0-0.23.4-5mdk.i586.rpm ./libdbus-qt-1_0-0.23.4-5mdk.i586.rpm ./libdbus-qt-devel-1_0-0.23.4-5mdk.i586.rpm ./libdbus-glib-1_0-0.23.4-5mdk.i586.rpm ./hal-0.4.8-15.1.20060mdk.i586.rpm ./libhal0-0.4.8-15.1.2006mdk.i586.rpm ./libhal0-devel-0.4.8-15.1.2006mdk.i586.rpm

4. Restart the daemons: service messagebus stop; service haldaemon restart; service messagebus start.
5. Remove the offending urpmi source, or, if necessary, block any further updates with /etc/urpmi/skip.list.

   #Don't update HAL/DBUS from SoS
   hal
   libhal
   dbus
   libdbus
   dbus-x11

   [download]
6. The SoS versions of K3B have dependencies on the SoS libhal/libdbus. So, uninstall them, and re-install Mandriva's pacakges for: k3b, k3b-dvd, libk3b2. Then, add this to /etc/urpmi/skip.list:

   #K3b (in the SoS KDE 3.5.x repository) depends on the WRONG version of hal/dbus. Keep Mandriva's version:
   k3b
   libk3b
   k3b-dvd

   [download]
7. Run urpmi --auto-select to repair any damage done by the rpm --nodeps above: there shouldn't be any. To double-check: rpm -Va | grep dependencies.
8. Consequence of the fix: KDE storage media will now claim "HAL backend: No support for HAL on this system". This doesn't seem to make much difference though.

• Accessibility:
  • Keyboard Layout -> Xkb Options -> Make CapsLock an additonal Control
  • Keyboard Shortcuts -> Application shortcuts: Set up the same bindings as Readline for Ctrl-A and Ctrl-E. "Select All" = no shortcut. "Beginning of Line" = Home and Ctrl-A. "End of Line" = End and Ctrl-E. "Text Completion" = no shortcut.
• Components:
  • Component Chooser -> Email Client -> Use a different email client: mozilla-mailto.sh "%t" "%s" Then create ~/bin/mozilla-mailto.sh:

    #!/bin/bash
    #Send email in thunderbird. First, try to connect to a running process; then start a new process if required.
    #Argument 1 is "To" and argument 2 is "Subject"
    if [ -n "$1" ]; then TO="$1" ; else TO="nobody@example.com" ; fi
    if [ -n "$2" ]; then SUBJECT="$2" ; else SUBJECT="" ; fi
    ( $HOME/bin/mozilla-thunderbird -remote "openurl(mailto:$TO?subject=$SUBJ)" || $HOME/bin/mozilla-thunderbird "mailto:$TO?subject=$SUBJ" ) &
    exit 0

    [download]
  • File Associations: set up sensible bindings for multimedia. In order of preference:
    • .ogg, .mp3, .m3u: Alsa Player, Xmms, amaroK, VLC media player
    • .mpg, .mov, .wmv .avi: VLC media player, Mplayer
• Information:
  • Protocols contains a list of the KDE ioslaves. Eg fish:/ or media:/
• LookNFeel:
  • Background: wallpapers as desired, same for each desktop (for best performance). Advanced: use solid black colour behind text OR enable shadow; 2 lines for icon text.
  • Behaviour: allow programs in desktop window. (This permits xearth etc to run)
  • Colours: to taste. I prefer to have "Title Blend" darker than "Title Bar" and "Inactive Title Bar/Blend" different from "Active Title Bar/Blend".
  • Fonts: see fonts section.
  • Icons: Connectiva Crystal - classic
  • Launch feedback - disable busy cursor, enable taskbar notification for 5 seconds.
  • Multiple desktops: 4.
  • Panels: Show RH hiding button, no animation. Menu: name (Description). Show side image. QuickStart Menu items: show the 15 applications most recently used. Disable transparency; enable background image. Appearance->Advanced Options: Hide applet handles (after you have arranged them as desired!)
  • Screensaver: none - we are using xscreensaver instead.
  • Splash screen: Default (the Galaxy one still says KDE 3.4)
  • Style: Keramik. Show icons on buttons. Disable animations. Toolbar text position: Icons Only.
  • System Notifications: change the most annoying sounds: "KDE is starting up" = KDE_Startup_1.ogg. "A critical message is being shown" = KDE_Error_3.ogg.
  • Taskbar: Group similar tasks: never. Appearance: Elegant.
  • Window Decorations: Keramik; don't draw grab bars below windows, Add custom title-bar button for "keep above others".
• Peripherals:
  • Mouse: Single click to open files and folders. (This isn't MS Windows!). Theme: crystalcursors. Mouse wheel scrolls by 5 lines.
• PowerControl:
  • See section on ACPI
• Sound:
  • See the section on sound for Arts/Alsa/Midi.
• System:
  • KDE Performance: preload an instance of konqueror after KDE startup.
  • Login Manager: Echo mode = 3 stars. Set wallpaper = "Spot the fish" (Download from kdelook.org with Blue (#21449c) background.) Set font = Tahoma, without antialiasing. Convenience: preselect previous user, focus password.. [If desired, Disable the existing theme in System->KDM Theme Manager.]
  • Storage Media. see below.
  • Paths: set Documents path to /home/rjn. This is KDE's default location for saving and opening files; it is only coincidentally equal to /home/rjn/Documents/.
    [i.e. KDE should always default to /home/rjn, but I use ~/Documents for certain files (like the Windows "My Documents" folder).]
  • Window behaviour: Focus follows mouse; Titlebar double-click = Maximise; Don't display content in moving/re-sizing windows (for performance); Don't animate minimise and restore; Don't allow moving and resizing of maximised windows; Transparency is fun, but very slow (and needs the Composite extension to be enabled in xorg.conf).
• WebBrowsing:
  • See the web browser section.

• Configuration is in: kcontrol -> System -> Storage Media.
• Inotify must be enabled, [see above], otherwise kded will constantly poll the disks.
• Devices which are dynamically created (with udev rules above), but which have permanent entries in /etc/fstab will not trigger events.
• Important: media will be automatically mounted, but will not be automatically unmounted. It isn't safe to just physically pull the device out! [Physically removing a device with a mounted, writeable filesystem can crash the kernel; also, writes are asynchronous, so saved files may not have been actually written to the device until it has been sync'd.] Remember to manually umount.
• This is available with a GUI in konqueror: visit the URL: media:/ (or devices:/) to see mounted and umounted filesytems/devices. To unmount, right-click->"Safely Remove". [Note: the URLs must be typed exactly, with only one slash.]
• The Gnome equivalent is Gnome volume manager, configured by gnome-volume-properties, and may also be running (as a consequence of the GTK font workaround.)

• The actions are defined by KDE servicemenus. These apply to konqueror generally. System-wide ones are in /usr/share/apps/konqueror/servicemenus/ and user-specific ones are in ~/.kde/share/apps/konqueror/servicemenus.
• For CD burning, we need to have the %U or KDE Removable media complains about Bad URL. But we dont't want it or k3b will complain. Workaround: use this command:
  echo %U ; k3b
• Added a DVD playback option. gmplayer is most user-friendly. The command required is:
  /usr/bin/gmplayer -quiet -fs dvd:// %U
  [Note: the %U is a bug: it is required to prevent an erroneous error message]
• Hack: to specify that CDs should be ripped in Grip, not kaudiocreator, edit /usr/share/apps/konqueror/servicemenus/audiocd_extract.desktop and change Exec=kaudiocreator %u to Exec=grip %u

• Wallpaper may be obtained from kde-look.org or from PDphoto.org or khotnewstuff. There are also some stunning (mainly commercial) wallpapers from DigitalBlasphemy.com. The background can also be set to a slide-show, or a background program. Great fun can be had by enabling blending (eg hue-shift!). Saved wallpapers live in ~/.kde/share/wallpapers.
• Icon-text background may be a solid colour, OR a drop-shadow. This option is hidden in Background->Advanced Options. [I recommend enabling 2-lines at about 130 columns for icon-text.]
• Icons can be aligned to grid, and then locked in place. (right-click desktop). Finally, as of KDE 3.5.0, the icons stop jumping around between logins! However, it is broken in 3.5.2 and not fixed until 3.5.4. [Partial workaround: turn off Desktop Icons (right-click->behaviour), then back on again. Or while not running KDE, delete/edit .kde/share/apps/kdesktop/IconPositions.]
• Create shortcuts on the desktop for system:/ and media:/.
• If desired, the KMenu icon (bottom left) can be reverted from the Mandriva star to the KDE default: edit ~/.kde/share/config/kickerrc, find the section [KMenu] (add it if needed), and then add below it: KmenuUseMdvIcon=false. Then restart kicker.

1. Mandriva already created a basic directory structure, some of which I don't like. Also, many of the icons on the desktop are special .desktop files, and do not represent directories or symlinks: this means that they don't play nicely with the CLI.
2. Firstly, remove the Mandriva weirdness - this is actually quite tricky. Some (but not all) of it is described in the release notes.
   • Remove any superfluous icons from the Desktop. Then remove any unneeeded files (including hidden files) from ~/.Desktop.
   • Remove unwanted folders in /home/rjn/. Mandriva create Video,Music,Download (all with corresponding desktop icons).
   • Get rid of the weird icon for Documents: remove ~/Documents/.desktop.
   • Remove ~/.kde/DESKTOP_ENTRY and its contents.
   • The release-notes also suggest touch ~/.mdk-no-desktop-launch.
   • Fix the icons in the quick-launch panel of the KDE File-open dialog (see below).
3. Create a directory structure as desired. This is the one I use:
   • Actual Directories

     /home/rjn/
     |	archive/				#archived copies of files.
     	bin/					#for shell scripts. This directory is already in $PATH.
     	briefcase/				#files to move back and forth between computers.
     	Desktop/				#The Desktop (used by KDE)
     	Documents/				#Location for documents (most files). Equivalent to "My Documents".
     	media/					#Multimedia
     		video/, music/, photos/
     	public_html/				#Web development or files published on web.
     	src/					#Program source code (mine, or downloaded)
     	todo/					#Action lists
     	tmp/					#Temp files (needed by system)
     

   • Symbolic links for convenience (ln -s)

     /home/rjn/
     	trash -> .local/share/Trash/files/	#The actual location of trash in the new KDE (and GNOME)
     
     /home/rjn/Desktop/
     	Documents -> ../Documents/		#For GUI convenience when starting on the desktop.
     	music -> ../media/music/
     	photos -> ../media/photos/
     	PhD -> ../Documents/PhD/
     	todo -> ../todo/
     

   I also wrote a script (user_homedir_makedirs.sh) to set this up.

• It supports tab-completion
• It remembers how large it is. Open the dialog, make the window most of the screen size, then close it. Voila: much easier to see files!
• It has inline preview.
• Sort-order can be case-insensitive.
• Folders can be shown in a separate pane (Persistent setting, F12 to toggle)
• Hidden files can be turned on/off (F8)
• The quick access navigation panel on the left (F9) can contain certain frequently accessed directories - just right-click it to add them. (and these can be customised per-application)

• Select text and text is automatically copied ; Middle-click to paste.
• Ctrl-C to copy ; Ctrl-V to paste
• [In nano,emacs,bash,pico, there is also a 3rd kill-buffer using Ctrl-K, Ctrl-U/Ctrl-Y]

• CPU: Kernel=dark_green; User=mid_green; Nice=pale_green; IOWait=yellow
• Memory: Kernel=dark_blue; Used=mid_blue; Buffers=light_blue; Cached=pale_blue
• Swap=purple.

• Sessions: If you leave some KDE-applications open when you log out, they will be re-started in the same state when you return. (Configured in kcontrol->Components->Session Manager)
• KDE Startup and shutdown scripts: Any scripts placed in the .kde/Autostart/ and .kde/shutdown directories are run automatically on starting and exiting KDE. [This is similar to ~/.bash_profile and ~/.bash_logout; note that .bash_logout is not run by default on exiting KDE.]
• IOSlaves: These are KDE resources which allow all applications to do some clever things. For example, you can edit a remote document over ftp/ssh/http, you can use fish:/ to drag-and-drop remote files, and use man:/ and info:/ to view documentation in konqueror. (Some information is in kcontrol->information->protocols). There is also a KIOSlave FUSE module.
• Keyboard shotrcuts for kwrite: Alt-F and Alt-B can be bound to "move back/forward one word" in kwrite (settings->configure editor->shortcuts). [Ctrl-A,Ctrl-E are defined globally above.]
• Konqueror autoscroll: Press shift, then up/down arrow. Konqui will continue to scroll automatically.
• Scripting KDE: here is a useful presentation.
• Kstart: Start program with custom window options (eg window title, desktop number. skip-task-bar etc). kstart --help for more.
• Ksystraycmd: start program, put window into systemtray. ksystraycmd --help for more.
• Kommander: a way of doing "graphical shell scripting" with QT: Here is an introduction and a tutorial. The Kommander homepage has some more information. Also try out this toy word processor.
• Kdialog: KDE dialog box to interact with scripts. (Like xdialog). Eg: kdialog --title "Fortune Cookie" --msgbox "`fortune`"
• Scripting X: see this article, also wmctrl and devilspie.

• Font settings are configured with gnome-font-properties: see above.
• GTK-2 applications (eg firefox) are configured with gnome-theme-manager. I like the Galaxy2 or GrandCanyon themes.
• GTK-1 applications (xmms,mozilla), are configured from Menu->System->Configuration->Other->GTK Theme Switch (/usr/bin/switch) or by editing ~/.gtkrc. I prefer 'Eazel-Blue' (to give easily visible scroll-bars) but with Kcontrol->colours set to "Apply colours to non-KDE applications", which makes it less dark-grey.

• Settings->Configure Konqueror:
  • Web Behaviour:
    • Tabbed Browsing->Advanced Options: uncheck: 'Open new tab after current tab', uncheck 'Activate previous used tab when closing the current tab'.
    • Underline links
  • Java & Javascript: Enable globally; Javascript->open new windows = 'smart'.
  • Web Shortcuts: these are extremely helpful, and many are already defined. However, only a few (such as wp: and gg: for wikipedia search, google search) are active by default.
  • Adblock Filters: enable these, and add the same list as for mozilla below
  • Browser Identification: can spoof user-agent as, for example, MSIE on NT5 on a per-site basis, if it is required to defeat stupid browser-sniffing.
  • Plugins: Load plugins on demand only, CPU Priority for plugins: lowest. No more flash except when I click to start it, and no cpu-hogging either! :-)
    [Konqueror will automatically scan for mozilla plugins at startup, and incorporate them automatically.]
  • Performance: Preload an instance after KDE startup.
• Settings->Configure Shortcuts:
  • Reload: Ctrl-R (and F5).
  • Homepage: Alt-Home (and Ctrl-Home)
  • Leave Ctrl-L as it is: Clear Location Bar (which also focuses the location bar).
  • Line-editing shortcuts (Ctrl-A,Ctrl-E etc) are already configured kde-wide above.

1. Edit (or create if needed) ~/.gtkrc-2.0 and add (or change) the line:

   gtk-key-theme-name = "Emacs"

2. Use gconf-editor, and change the key: desktop->gnome->interface->gtk_key_theme from 'Default' (MS Windows-like) to 'Emacs'.
3. Restart the browser.

Shortcut Key	Action	Note
Ctrl-A	Go to start of line	in message-list, this does 'select-all'
Ctrl-E	Go to end of line
Ctrl-K	Cut to end of line
Ctrl-U	Cut whole line	while reading content, this does 'view page source'
Ctrl-C,X,V	Copy,Cut,Paste
Ctrl-Y	Paste	Pastes what was last selected, not the result of Ctrl-K/U
Ctrl-L	Go to Location Bar	In mozilla-suite, press up_arrow to search google.
Ctrl-J	Go to Search Bar	Firefox only
Ctrl-R	Reload page
Esc	Stop Loading
Ctrl-N	New browser window
Ctrl-M	Compose new mail
Ctrl-1,2,5	Go to browser/mail/address windows	Only in mozilla suite.
Ctrl-T	New Tab	In mail, 'get new messages'
Ctrl-W	Close tab
Ctrl-Q	Quit (dangerous!)	Ignored in firefox
Ctrl-F	Find in page	(F3 = find next; Shift-F3 = find previous

• It makes web browsing faster and less cluttered.
• It removes the very anti-social animated flash advertisments which hog a large amount of CPU, and which continue to do so even in background tabs.
• It prevents the most common occurrence of this bug, where the whole mozilla UI locks up for up to a minute - one cannot even close the tab, or the window, nor will the window re-paint. This seems to be caused by the server stalling mid-TCP connection; usually the overloaded server is a 3rd-party adserver. [netstat reports that the socket is sitting in 'CLOSE_WAIT'.] Wait 2 minutes, and mozilla will usually come back to life.

keyword	location
wp:	http://en.wikipedia.org/wiki/Special:Search?search=%s
gg:	http://www.google.com/search?q=%s
gl:	http://www.google.com/linux?q=%s
dict:	http://dictionary.reference.com/search?q=%s

• By default, if you middle click in the main browser window, mozilla will treat this as a paste, and attempt to load the URL just visited. It's a neat feature, but can be terribly annoying if you want to open a link in a new tab, but just don't quite hit it it! Disable it thus, if desired:

  middlemouse.contentLoadURL = false

• Network performance can be improved by changing:

  network.http.pipelining = true
  network.http.proxy.pipelining = true
  network.http.pipelining.maxrequests = 40

• Extensions I am currently using:
  • Adblock and FiltersetG updater - as described above.
  • Tab Mix Plus - allows drag-and-drop reordering of tabs and many other features. It includes a session manager to recover from crashes, and allows tabs to be un-closed (by right-clicking the tab bar). My configuration includes "prevent blank tabs when downloading files", "Don't show close icon on each tab". and "Middle-click on tab does *not* close it".
  • Image Zoom - right click an image, resize it.
  • Web Developer Toolbar - very,very good. All sorts of useful things, including local HTML validation, and editing the HTML/CSS of pages in the sidebar.
  • Aardvark - very clever way to see, and edit the individual page elements. Good for printing.
  • HTML Validator (locally, using Tidy.)
  • CustomizeGoogle - helpful tweaks for Google.
  • Update: Image Zoom functionality is now native to Firefox. Consider also Flashblock, Facebook Disconnect, keyword.URL hack.
• Extensions I like, but am not currently using:
  • UrlParams nice - but it intereferes with "add keyword for this search"
  • Session Saver - allows retrieval of session after a crash, and un-closing of tabs :-) [But this is duplicated by Tab Mix Plus]
  • Colorful tabs - assigns colours to tabs, making it easier to arrange to them.
  • StumbleUpon - Serendipitously find other highly-rated websites.
  • Firebug - another way to see javascript errors in webpages. Seems powerful - but I can't actually figure it out!
  • View Formatted Source (Fx does view the whole page source anyway, but very neat "inline" mode)
  • HTML Validator - opens new tab to validate page (with W3C's validator) - nice, but duplicated by Web Developer toolbar.
• Some tools which already exist on Linux, so no extension is needed:
  • kruler - screen ruler in pixels.
  • kcolorchooser - select html colours.
  • check-link - check links.

1. Download and install the latest Firefox.
2. Move ~/.mozilla/firefox out of the way. Then run firefox, (which now has a clean configuration), and install extensions, plugins and set it up as desired. Close mozilla and firefox.
3. Make a backup copy of ~/.mozilla.
4. The Mozilla and Firefox profile contents are described in detail here. The Mozilla profile resides somewhere like: ~/.mozilla/rjn/a01xhcth.slt/ and the Firefox profile resides somewhere like: ~/.mozilla/firefox/gkxpc0f1c.default.
5. Copy bookmarks across, by copying the bookmarks.html file.
6. Copy passwords across by copying the xxxxxxxx.s file across, and renaming it to signons.txt. Also copy key3.db.
7. Copy cookies and history: cookies.txt and history.dat.
8. Some more details are here.

• For Firefox, simply edit ~/.mozilla/firefox/profiles.ini/
• For Mozilla, create a symlink (cd ~/.mozilla/rjn/; ln -s a01xhcth.slt a02fhgli.slt)so that Mozilla can find the actual profile by looking where it wants to look. This is necessary, since Mozilla stores absolute paths!

• Make sure Java is installed - see below.
• In Konqueror, just specify the path to the java executable. Usually, this is just "java".
• In Mozilla and Firefox:
  1. Create the mozilla plugins directory, if necessary: mkdir ~/.mozilla/plugins. Change into it: cd ~/.mozilla/plugins.
  2. Create a symlink to the correct java executable: ln -s /usr/java/jdk1.5.0_07/jre/plugin/i386/ns7/libjavaplugin_oji.so .
  3. Restart the browser. Test it here.

• Download install_flash_player_7_linux.tar.gz. Note: there won't be a version 8 for Linux; we have to wait for 8.5.
• Untar. Close browsers. Run ./flashplayer-installer.
• To test, look at this CSS box model or John Cleese's Institute for Backup Trauma.
• To avoid much irritation with flash adverts, use adblock.

• cd ~/.mozilla/plugins
• ln -s /usr/lib/RealPayer10GOLD/mozilla/nphelix.so .

• cd ~/.mozilla/plugins
• ln -s /usr/lib/mozilla/plugins/mplayerplug-in.so .
• ln -s /usr/lib/mozilla/plugins/mplayerplug-in.xpt .
• ln -s /usr/lib/mozilla/plugins/mplayerplug-in-wmp.so . - For Windows Media (.wmv) files. (but this is sometimes unstable)
• ln -s /usr/lib/mozilla/plugins/mplayerplug-in-wmp.xpt .
• ln -s /usr/lib/mozilla/plugins/mplayerplug-in-qt.so . - For Quicktime (.mov) files.
• ln -s /usr/lib/mozilla/plugins/mplayerplug-in-qt.xpt .
• ln -s /usr/lib/mozilla/plugins/mplayerplug-in-rm.so . - For Realplayer (.rpm, rtsp://) files. Or use realplayer.
• ln -s /usr/lib/mozilla/plugins/mplayerplug-in-rm.xpt

• Go to the URL: about:config
• Right-click, and add a new string:

  network.protocol-handler.app.mailto =  /home/rjn/bin/thunderbird     #or /usr/bin/thunderbird if using the official packages.

• Go to Edit->Preferences->Advanced and Click the "Config Editor" button.
• Right-click, and add new strings:

  network.protocol-handler.app.ftp = /home/rjn/bin/firefox      #or /usr/bin/firefox if using the official packages.
  network.protocol-handler.app.http = /home/rjn/bin/firefox
  network.protocol-handler.app.https = /home/rjn/bin/firefox

1. Download Java from here. I recommend the JDK (Java Development Kit), which includes both the javac compiler and the JRE (Runtime environment). Get the package called "J2SE(TM) Development Kit 5.0 Update 7" (which is 45MB) and not the one with NetBeans (which is 140MB, and doesn't install anyway). Download the Linux RPM in self-extracting file.
2. Sun's installation instructions are here.
3. Then, as root: sh jdk-1_5_0_07-linux-i586-rpm.bin, type "yes", urpmi ./jdk-1_5_0_07-linux-i586.rpm. It's now installed, but not in the path.
4. Remove any old versions (or links to /etc/alternatives/): cd /usr/bin; rm java javac javadoc javah javap jar
5. Create symlinks to the new versions: ln -s /usr/java/jdk1.5.0_07/bin/java* .
6. See above to install the browser plugin.

[2] Flash

See above for installing the Flash plugin.

[3] RealPlayer

Real Player 10 for Linux can be downloaded (as an .rpm) from here. Note that it doesn't use alsa, but requires an exlusive lock on /dev/dsp (or use aoss). For the browser plugin, see above. To test realplayer, try the BBC Documentary Archive.

[4] Acroread

Acrobat Reader can be installed from adobe. However, it is totally unnecessary, and not always stable. Alternatives are kpdf (most full-featured); gv (fastest); xpdf (most reliable on all files, even those which cause errors for gv). From the commandline, use pdftotext, less, or pdftops.

[5] Skype

Ugh. Just don't do it. Use SIP instead! I wrote a VoIP howto which is here.

[6] Nvidia Driver

Aside for desktop systems: the nVidia driver can be downloaded from here. It works quite well - although it is annoying to have to re-install for every kernel. Note that, on rebooting into a new kernel, Mandriva will "helpfully" break your xorg.conf, and you have to fix that too.

SSH (Secure shell, keys)

SSH is absolutely wonderful! It does all sorts of clever things: encrypted remote logins; passwordless logins with public-key cryptography; file transfers (scp); X11 forwarding; VNC tunneling; port forwarding of any (TCP) protocol.

[1] Installation

Installation is simple: urpmi openssh-clients openssh-askpass-gnome openssh-server sshd-monitor keychain (Check that the service is on with chkconfig --list sshd). The default configuration is good, but can be altered in /etc/ssh if desired. It is important to stay current with the security updates on the Mandriva Security announcement mailing list.

Protocol 2
PermitRootLogin no

Remote logins are now easy, and secure. Consider a local user tux sitting at machine iceberg who wants to login (with the same username tux) on host antarctica. Sitting at iceberg, tux should simply type: ssh antarctica. [Hostnames should be fully-qualified if necessary; the remote 'username@' may be omitted if it is the same as the local one; SSH connections can be nested.]

To copy the herring/ directory from iceberg to antarctica, use scp: scp -r /home/tux/herring/ antarctica:. [Note: the final colon is required!]

The tab name in konsole can include the hostname: see above for .bashrc .

[2] SSH keys

[3] Copying files

Alternatively, you can ue ssh as a network-transparent pipe. Eg: cat herring.txt | ssh tux@antarctica 'cat > herrings.txt'. The first cat's stdout is piped to the second cat's stdin.

You can also use bash tab-completion of paths on the remote-host with scp/rsync. To do this, you must have passwordless ssh-access to that system, and enable scp tab-completion with COMP_SCP_REMOTE. Put COMP_SCP_REMOTE=true in your .bashrc.

[4] Nested SSH Connections - SSH ProxyCommand (or AgentForwarding)

[tux@iceberg ~]$ ssh ocean
Last login: Thu Apr  6 00:40:13 2006 from iceberg
[tux@ocean tux]$ ssh antarctica
tux@antarctica's password:
Last login: Thu Apr  6 00:40:24 2006 from ocean
[tux@pistachio ~]$

[4.1] SSH ProxyCommand

This is the recommended, and safest method. It also supports single-step scp. We use ProxyCommand with netcat; it is explained in detail here.

#!/bin/sh
bouncehost=$1
target=$2
ssh $bouncehost nc -w 1 $target 22

Host antarctica
    Hostname antarctica
    HostKeyAlias antarctica
    ProxyCommand netcat-proxy-command ocean %h

• SSH directly to antarctica, as though it were on the local network: [tux@iceberg ~]$ ssh antarctica.
• Use SCP: [tux@iceberg ~]$ scp herrings.txt antarctica:.
• Use VNC over ssh and a proxy: [tux@iceberg ~]$ vncviewer -via antarctica localhost:0.

• In two stages, do [tux@iceberg ~]$ ssh ocean and then run [tux@ocean ~]$ ssh antarctica without needing a password on either occasion.
• In a single leap, you can do [tux@iceberg ~]$ ssh -t ocean ssh antarctica. [The first -t is needed to force it to allocate a pseudo-tty.]
• The networked pipe equivalent is: cat herring.txt | ssh tux@ocean "ssh antarctica 'cat > herrings.txt'"

• When forwarding X11, you are essentially connecting your screen/mouse/keyboard to the other machine. That machine will now have access to your X display, including being able to run a keylogger. In general, don't use X forwarding unless you trust the other machine.
• ForwardX11 (ssh -X) uses the X-server security extension to prevent untrusted machines from accessing parts of your X display that they should not. This is relatively safe, (but some older GUI applications will not work.)
• ForwardX11Trusted (ssh -Y) implicitly trusts the other machine. This is potentially unsafe. Remember: "A trusted machine is one that can break your security policy".

1. ssh into antarctica and run either vncserver, or x11vnc -localhost -display :0 as appropriate. [For more on vncserver, see below.]
2. Start the vnc viewer (tightvnc), using the -via option for an ssh tunnel: vncviewer -via tux@antarctica localhost:DISPLAYNUM, where DISPLAYNUM is 0 for x11vnc, and is the number quoted to you by vncserver.
3. Exit the viewer. If using X11vnc, the server will exit, leaving the X-session running as before. If using vncserver, it will continue to run, until closed with vncserver -kill :DISPLAYNUM.
4. Note that, if ProxyCommand is configured, you can have multi-step -via, useful if there is an intervening firewall as well as a firewall on the target machine.

1. SSH into the server, and run the command: xpra start :100 --start-child=xterm
2. From the local machine, run: xpra attach ssh:serverhostname:100 --encoding=png
3. Xpra also starts a panel applet in the systray, which allows configuration and includes a nifty bandwidth monitor graph.
4. Note that the default Encoding (H.264) is really a video codec. For text editors (eg kwrite), it's much more responsive to use one of the PNG encodings (or Raw RGB + Zlib).

1. Tux connects to ocean thus: ssh -L 8888:antarctica:80 tux@ocean In addition to the normal ssh connection, ssh opens a tunnel. The far end of the tunnel connects (from ocean) to antarctica on port 80. The near end is port 8888 on localhost (iceberg).
2. Tux can now browse the remote webserver by connecting to http://localhost:8888/index.html.
3. We could run the command ssh -C -f -L 8888:antarctica:80 tux@ocean sleep 20 instead. This compresses the data (-C, and causes the connection to fork into the background, and disconnect if nothing subsequently happens for 20 seconds (-f .... sleep 20).
4. Use the -g (GatewayPorts) option to make local port 8888 listen on other interfaces. By default, only local users on iceberg may use the tunnel.

1. Polar bear makes an outbound ssh connection to antarctica thus: ssh -C -R 8022:localhost:22 polar-bear@antarctica. Antarctica will now accept local connections to port 8022, and will tunnel those connections back to the ssh server on iceberg's port 22.
2. Tux can now connect to iceberg by doing: ssh -p 8022 -o UserKnownHostsFile=/dev/null localhost. Then, for example, tux might run x11vnc in order to assist polar-bear.
3. In this example, the -C is for compression, and the "-o UserKnownHostsFile=/dev/null" is to stop ssh complaining about the key fingerprint not matching for localhost. Note that, by default, the port 8022 opened on Antarctica will only accept local connections, from another user sitting at Antarctica.

1. Based on this, enabling chrooted SFTP on a webserver.
2. Create a dedicated sftp user. Let's call him "puffin". Then create a chroot within the home directory (this and everything above must be owned by root), and a files/ directory he can use:
   useradd puffin
mkdir /home/puffin/chroot/files
chown -R root: /home/puffin/ ; chown puffin: /home/puffin/chroot/files

   
3. For safety, disable normal logins, by changing the shell to nologin. This will politely decline an SSH request, even when sftp is disabled:
   usermod -s /usr/sbin/nologin puffin
   
4. We could consider just using SFTP only, without a chroot, but this would then grant read-access to the entire filesystem. If this is what you wanted:
   usermod -s /usr/lib/openssh/sftp-server puffin #<-- careful!
   
5. Otherwise, edit /etc/ssh/sshd_config, comment out the line Subsystem sftp /usr/lib/openssh/sftp-server, and add the following:

   Subsystem sftp internal-sftp
   Match User puffin
       ChrootDirectory /home/puffin/chroot
       AllowTCPForwarding no
       X11Forwarding no
       ForceCommand internal-sftp

6. Restart sshd (service ssh restart)
7. Connect with an SFTP program, eg "sftp" or FireFTP. Open the URL: sftp://puffin@antarctica/files.

• Simple commands: ssh antarctica 'cat herring.txt' will run the command 'cat herring.txt' on machine antarctica. The output will be redirected to STDOUT on iceberg, and the exit code $? will be the one from .cat'.
• More complex commands need some escaping:
  • Wrap the whole command in "( )". The double quotes protect it (mostly) from the shell on iceberg; the brackets create a new subshell on antarctica which may contain things like if, ;, |, &&.
  • ", ` and \ should always be escaped singly with another \. ' is literal.
  • $ is escaped as \$ if it is a variable on antarctica, but not escaped if it is to be evaluated on the iceberg before the remote command is run.
  • To have a literal metacharacter on antarctica, it must be triply-escaped. Eg \n, >, [, become \\\n, \\\>, \\\[.
  • For example, rather than write a script on antarctica and then execute it remotely, tux might wish to have all the logic in a single shell script, running on iceberg. This script tells tux whether he has enough herring in his freezer:

    #!/bin/bash
    #Check (from iceberg) whether there are enough herring in the freezer on antarctica. This is slightly contrived, but note the escaping.
    
    ENOUGH=300
    ssh tux@antarctica "(
    	$HERRING_COUNT=\`cat herring_stock.txt\` ;
            if [ \"\$HERRING_COUNT\" -ge \"$ENOUGH\" ] ;then
    		echo \"There are enough herring for the holiday.\"
    		exit 0
    	else
    		echo -e \"Not enough herring.\\\nTime to catch some fish.\"
    		exit 1
    	fi	
    )"

    [download]

• Download from here
• Compile, and install both fuse and sshfs from source.
• (As root) modprobe fuse. This creates creates /dev/fuse with permissions 666.
• Then mount (as a normal user) the ssh filesystem as desired: sshfs -r -o reconnect tux@antarctica:nest/ ~/mnt/nest. [The -r is for read-only, if desired; the reconnect is useful if the connection fails]
• To unmount, do fusermount -u ~/mnt/nest/
• If the ssh connection dies, the mountpoint will hang, and cannot be unmounted. killall sshfs will fix it.
• sshfs is most useful if you already have key-based authentication.

• Install with urpmi lufs (only required on the client)
• (As normal user), lufsmount sshfs://tux@antarctica/home/tux/nest/ ~/mnt/nest -fmask=444 -dmask=555
• To unmount, lufsumount ~/mnt/lufs
• Note: if the ssh daemon on the remote end dies, or the network connection fails, this causes serious problems. The local mountpoint will become un-unmountable. A reboot is required to recover from this; furthermore, the machine will not finish shutting down on its own, and will require a reset.
• killall lufsd may help here: I haven't tried it.

• Encrypting and decrypting files with SSH (RSA) keys: see here.
• Printing over the network: cat herringreport.pdf | ssh antarctica lp
• Copy clipboard from one machine to another: in ~/.bashrc, function ccc(){ ssh antarctica "DISPLAY=:0 xclip -o" | xclip -i ; } then type "ccc" to pull the remote clipboard to the local machine.
• Tunnelling SSH over HTTP (if behind restrictive firewalls): use corkscrew.
• HashKnownHosts - this option in ~/ssh/config makes ~/.ssh/known_hosts hashed. It's a slight security gain, but makes bash-completion on hostnames less useful.
• AddressFamily inet - this option in ~/ssh/config makes SSH only use IPv4 to connect. It can be faster, especially if ip6 addresses exist but fail. To test, use the -4 option, e.g. time ssh -4 antarctica exit.

• Support for user's home directories (http://localhost/~username), is no longer on by default. To enable it, install apache-mod_userdir. Then, ensure the user has a directory: ~/public_html and that their files within it are readable by apache, and that directories above it may be traversed by apache (i.e. the directories are executable).
• .htaccess files are now ignored!!. Directories protected by .htaccess will no longer be secure. To re-enable this, do: TODO: FIXME: WHAT?

• Cron, (the crond service) is a periodic job scheduler. It does:
  • System housekeeping every night (updatedb, msec, rpm -Va) These run at 4am, and take about 30 minutes.
  • Anything the user scehdules, eg nightly backups.
• To configure jobs, use crontab -e; see also man cron and man 5 crontab.
• For one-offs, use at, and atd instead.
• If the machine isn't always on, use the anacron service to run skipped cron-jobs shortly after the machine has booted.
• Note: Msec's messages (from cron jobs) go to the user specified in draksec.

• On the SERVER, install and enable the following services:portmap,nfs-common,nfs-server
• Consider that we want to export the directory /home/public/music. Place the following entry into /etc/exports:

  /home/public/music *(all_squash,anonuid=65534,anongid=65534,sync,insecure,subtree_check,ro)

  This exports the directory /home/public/music to all hosts, i.e. '*', read-only, and 'squashes' file-ownerships. See also man exports. You can also use the draknfs GUI.
• NFS has multiple daemons, which dos not always run on a pre-defined port, and it is necessary to 'pin' the server's NFS daemon to a known port, if we also want to make it firewall-able. This howto explains what to do; here is a summary, suitably modified for Mandrake rather than Fedora....
• Force statd to run on port 4001, and lockd to 4002. (There's nothing very special about these port numbers, except that they are unused in /etc/services. Edit /etc/sysconfig/nfs-common and set:

  STATD_OPTIONS="--port 4001"
  LOCKD_TCPPORT=4002
  LOCKD_UDPPORT=4002

• Force mountd to run on port 4003. Edit /etc/sysconfig/nfs-server and set:

  RPCMOUNTD_OPTIONS="--port 4003"

• Pin rquotad to 4004, if used, by adding this to /etc/services:

  rquotad 4004/tcp # rpc.rquotad tcp port
  rquotad 4004/udp # rpc.rquotad udp port

• [The portmapper service always runs on port 111, and the nfsd service always runs on 2049, so we needn't change this.]
• Restart the portmap, nfs-common, and nfs-server services. Check they are permanently enabled with chkconfig.
• Now, we have well-defined ports for NFS, we can enable the firewall. Make sure the firewall permits both TCP and UDP access to the following ports: 111, 2049, 4001, 4002, 4003, 4004. (4004 itself may not be required, if you don't use rquotad.). In /etc/shorewall/rules, add:

  ACCEPT  net     fw      udp     111,2049,4001:4004      -
  ACCEPT  net     fw      tcp     111,2049,4001:4004      -

• The following diagnostic tools are useful:
  • showmount - show what remote clients have currently mounted which directories.
  • rpcinfo -p - list the ports currently used by the various RPC (remote-procedure-call) daemons.
  • exportfs - show what directories are currently available to be exported.
  • exportfs -fa - tell the NFS daemon that /etc/exports has been modified, without needing to restart it.
  
  
• On the CLIENT, everything is much easier. If you want to have locking of files, then you need to install and run the portmap service, but it is not necessary; the alternative is to mount with -o nolock. For a read-only mount, that is perfectly sufficient. Thus, you can mount the share directly with:

  mount -t nfs -o nolock,soft servername:/home/public/music /mnt/music

  Or you can add this to /etc/fstab:

  servername:/home/public/music /mnt/music nfs nolock,soft,user,noauto  0 0

  There is also a GUI for this, diskdrake -nfs.
• The mount options are explained in detail in man (5) nfs. The important things are that nolock is useful for read-only mounts; that soft is important if you want the client to be "interruptible" in case of network errors (otherwise, if the server goes down, the client application cannot be terminated, even with kill -9); and that servername can be a hostname or IP address, (but must be an IP address if the mount happens early in the boot process, before the system has working DNS)

• A DVD of the correct region to match the drive. Actually, in most cases, Linux ignores the region-coding on the disc. However, if the region of the drive has never been initialised, it may refuse to play. So, set the region using regionset.
• To play most commercial DVDs, it is necessary to break the CSS encryption. Install libdvdcss2 from the PLF. At least some of these packages are also required: libdvdread3, libdvdread-utils, libdvdnav4, libdvdcontrol9, vlc-plugin-dvdnav.
• Then, to play the DVD, use either VLC, mplayer, xine, or ogle. (plf versions). You can even back it up with mencoder.

• Tools: kino, cinelerra, mplayer, transcode, mplex, spumux, dvdauthor, growisofs, xine, gimp. Usually worth downloading/compiling latest versions.
• Capture from firewire mini-DV camera with kino, edit with cinelerra: tutorial.
• Note: cinelerra really works better if you have 2 drives: source footage on one, background-rendered output on the other.
• Create final .mov, then check with mplayer.
• To avoid "mice teeth", I recommend de-interlacing the final file before making the DVD.
• Conversion to mpeg, burning to DVD, DVD-menus: see here (very detailed). My 'incantation' was: transcode -i finalversion.mov -V -x mplayer,mplayer -y mpeg -F d -Z 720x576 --export_fps 25 --export_asr 2 -E 48000 -b 224 -J smartdeinter -o outputmpeg, which results in outputmpeg.m2v (the video; play with mplayer) and outputmpeg.m2a (the sound; play with mpg123). Then, mplex the files: mplex -f 8 -S 0 -o movie.mpg movie.m2v movie.mpa.
• dvdauthor handles converting to the max 1GB filesize on DVD without a problem, even if the .mpgs exceed this. In total, a standard, single-sided "4.7GB" DVD can take 4.3 GB of video (a little over an hour); discrepancy is 2³⁰vs. 10⁹.
• DVD cover: use xfig, then export to pdf.
• See also: tutorial, discussion, Linux-Journal.
• Use DVD-R (rather than DVD+R) for greatest compatibility.

• Run a Linux-native application. Many applications exist under Linux anyway. Some are cross-platform (eg Firefox, OpenOffice), and many are Linux-native. Often, the Linux-native applications are better than their non-Free Windows equivalents.
• Use Wine. Wine is a Free implementation of the Win32 API [Wine Is Not an Emulator!], now at version 0.9.11 and works very well. It is available for download from WineHQ.com, or in a supported commercial version from Codeweavers. WineTools is sometimes a helpful addition, but is increasingly no-longer necessary. Winehq provide Mandriva RPMs which are more recent, and work better than the official ones. Office97,Photoshop,and even InternetExplorer work well. [OK, even on Windows, Internet Explorer can't really be said to work "well", but Wine allows us to check web design for bug-compatibility. :-)] Generally, older or simpler Windows binaries are more likely to work perfectly. Usually, hardware drivers won't work, but I did have success with a serial-port PIC Programmer.
  If you just need to read MS document files (and OpenOffice can't cope), you can download the free (beer) MS Office viewer or Lotus KeyView.
• If you still have access to an obsolete Windows box, put VNC on it. Then leave the Windows box on the network, (suitably NAT'ed please!), run vncserver on it, and view the application on your local display. To maximise server performance, disable all animations, disable show content in moving/resizing windows, and set a plain colour for wallpaper; maximise viewer performance by optimising -encoding. We run MarketEye this way (on an old 770Z PII,300, Win98). Advantage: VNC is free, and works brilliantly. Disadvantage: you need an old Windows machine.
• If you have access to a Windows install disk, or an image of the old hard disk, you can emulate it with QEMU. QEMU is brilliant! It will run any (x86) operating system from within any other; it is free, and it is fast. [Performance is about 5x slower than real life]. You can also try other Operating Systems, eg the latest Knoppix direct from the disk image. Either create a new disk image, boot it in QEMU and install Windows, or (with luck) you may be able to boot a pre-existing image. There is also KQEMU which uses a kernel module to accelerate to near native (about 1/2) speeds. KQEMU is now GPLd (it used to be only free-as-in-beer). QEMU will not (yet) allow you to run hardware devices such as (most) USB or sound input, although you have access to sound output, network, video, disks.
  Note QEMU disk images are sparse files. (A guest OS may have a mainly empty 10GB virtual disk, which takes only 200MB on the host). To copy these, you must use cp -a or rsync -aS to do it, or you will loose the efficient packing!
• Another (GPL) option is virtualbox. [I haven't tried this yet.]
• VMWARE is the commercial equivalent of QEMU. It is essentially the same, and although expensive, it works well. [There is also now a free VMWare player, but someone else would have to create the VMWare image.] Sound input works, and they say that USB devices can be made to work with Windows drivers. We run Dragon Naturally Speaking this way.
• ReactOS is very promising alternative to Windows, especially if combined with QEMU. However, it isn't quite ready yet.

• The worst is mailman, so remove it with urpme mailman.
• Uninstall process accounting - it's rather pointless on a single-owner laptop! It also causes disk writes every 15 seconds. Remove with: urpme psacct.
• Shorewall should not write out the logfile to disk to often. Edit /etc/shorewall/shorewall.conf to have:

  LOGRATE=1/hour
  LOGBURST=5

• Check for (and remove) spurious cron jobs. [By default, a whole lot of security checks run at 4:00 am, and take about 30 minutes of constant activity. If the machine isn't always on, anacron will also run these shortly after the machine has booted.] Some of these aren't absolutely necessary. However, updatedb is really useful.
• sshd-restarter runs every 5 minutes by default. Change this to every 30 minutes in /etc/cron.d/sshd-monitor.
• Stop CUPS regenerating its certificate every 5 minutes: once every 2 hours will do! Change /etc/cups/cupsd.conf to have

  RootCertDuration 7200

• Mozilla should not check for new messages more than about once per 5 minutes, since this also causes disk activity.

• Adding and removing package repositories: urpmi.addmedia and urpmi.removemedia. See above.
• To install a package: urpmi PACKAGENAME, eg urpmi mplayer. Urpmi will automatically resolve dependencies, and fetch the package from the repository. If you already have the package downloaded, use ./ eg urpmi ./mplayer-1.0-1.pre7.20060plf.i586.rpm. Or, you can use rpm -i mplayer-1.0-1.pre7.20060plf.i586.rpm. Multiple packages may be installed in one command. You can tab-complete on packagenames.
• To uninstall a package: urpme PACKAGENAME, eg urpme mplayer. Or, use rpm -e mplayer-1.0-1.pre7.20060plf. Note that, the packagename does not include the .i586.rpm which is appended to the filename. RPM is unnecessarily fussy about this!
• GUI equivalents for urpmi/urpme are rpmdrake and rpmdrake-remove.
• To find out what package contains a certain file: urpmf FILENAME eg urpmf libogg.so.0.
• To find the description of a package: urpmf --description PACKAGENAME eg urpmf --description mplayer. Or, rpm -qi mplayer.
• To find out whether a package is installed: urpmq PACKAGENAME or rpm -q PACKAGENAME or rpm -qa | grep PACKAGENAME
• To apply package updates: Update the package list from the mirror, then select the updates. The easiest way is this, which downloads all the packages first, and only then prompts you fwhether to go ahead: urpmi.update -a; urpmi --auto-select --force -- test; urpmi --auto-select. Note that, with the 2006-Official distribution (as opposed to 2006-Community), the first part is urpmi.update updates. The kernel is a special case, and must be dealt with manually. To update the entire distribution, see below.
• To verify installed packages: use rpm -Va (see below.)
• To install self-compiled packages, use checkinstall. This is important, since it means that you don't bypass the RPM package database. As a result, you can prevent collsions, and can easily uninstall again. So, instead of the usual ./configure && make && make install, use ./configure && make && checkinstall; this generates an rpm, which you can install as usual.
• To list unnneeded libraries: urpmi_rpm-find-leaves. This prints a list of all packages which are currently installed, but on which no other package depends. These packages are "leaves" on the rpm "tree", and their removal will not break anything else. Many of these packages will be the applications (eg Firefox) which you actually want, however, old libraries, which nothing uses, can be removed in this way. Alternatively, use rpmdrake-remove and select "Leaves only".
• To prevent a package from being selected for automatic upgrade: add it to /etc/urpmi/skip.list.
• To downgrade a package to an earlier version: remove the newest version (without removing its dependencies!) rpm -e --nodeps NEWPACKAGE; then manually download the older version from the mirror (with lftp), then install it from the downloaded rpm urpmi ./OLDPACKAGE.rpm, then add PACKAGENAME to /etc/urpmi/skip.list, so that it is not automatically upgraded again! Check that the system is self-consistent again with rpm -Va.
• Various RPM queries: to list the files in an RPM, use rpm -ql package.rpm (or use less package.rpm). To list the requirements of an RPM, use rpm -ql package.rpm. To list all installed packages, sorted by size: rpm -qa --qf '%{SIZE} %{NAME}\n' | sort -nr
• Source RPMS. A .src.rpm is NOT a normal package, but a bundle of the program source, some patches, and a specfile. If you install (rpm -i) a .src.rpm, it will unpack the tarball+specfile onto your system; to uninstall, just use rm -rf. To rebuild an rpm in such a way that it can be installed on your system, do rpm --rebuild bar-2.2.2.mdk.i586.src.rpm
• Building RPMS: an excellent introduction is here.
• Troubleshooting: see below if urpmi complains of an invalid package, or if rpm hangs.
• For further information on rpm, see www.rpm.org.

1. Log in as root, go to runlevel 3. init 3. It may be easier to do this from another computer, via ssh.
2. Save the list of currently installed packages, just in case. rpm -qa > oldpackages.txt
3. Remove anything from /etc/urpmi/skip.list if you put it there. Think why it was there. Otherwise, the upgrade won't complete.
4. Remove the old urpmi media: urpmi.removemedia -a. [You may want to back up /etc/urpmi.cfg first.]
5. Add the new urpmi sources. [Decide: community, or official. Add main; contrib; updates (if appropriate); plf (if desired)].
6. Upgrade urpmi itself:
   1. urpmi --test urpmi [test whether urpmi's upgrade works.]
   2. urpmi urpmi [do the upgrade - if you get no errors in previous step.]
7. Upgrade the distribution and packages:
   1. urpmi --auto-select --test 2>&1 | tee urpmi.log [test whether the upgrade of the distro will work.]
   2. urpmi --auto-select 2>&1 | tee urpmi.log2 [do the upgrade - if you get no errors in previous step.]
8. Look for, and remove obsolete libraries. urpmi_rpm-find-leaves will print a list of all packages which are not depended-on by any other package. These are either:
   1. Very important packages which we explicitly want. (Eg apache)
   2. Independent packages with no interrelation to others (eg nc)
   3. Obsolete libraries which have not been removed.
   Uninstall these if desired. In one line: urpmi_rpm-find-leaves | grep -E '^lib' | xargs urpme.
9. Upgrade the kernel:
   1. urpmi kernel [upgrade the kernel: you will get a choice; pick the one you like. (uname -a prints the currently running kernel.) Note that the kernel is not upgraded automatically by urpmi.]
   2. Edit /etc/lilo.conf to make the new kernel the default, and then run /sbin/lilo.
   3. Reboot into the new kernel. Watch the log messages on the console.

1. Are there any kernel-issues? This is especially relevant if migrating from kernel 2.4 to 2.6. For example, udev replaces devfsd, and Serial-ATA disks become /dev/sdX rather than /dev/hdX. Have any of the kernel modules changed? If so, we may need to edit /etc/modules.conf and /etc/modprobe.preload.
2. Look at the system's error messages: dmesg, /var/log/boot.log, /var/log/messages and /var/log/kernel/*
3. updatedb; locate .rpmsave .rpmnew [re-build the locate database, then locate all the changed configuration files.] There are 3 possibilities for package foobar, configured with /etc/foobar.config:
   • If a package's configuration file was never modified by the user, then the new package will be installed over it. Otherwise, depending on the package:
   • The old config-file will be kept (as /etc/foobar.config), and the new one saved as /etc/foobar.config.rpmnew
   • The new default config-file will be used (it becomes /etc/foobar.config), and the old one will be backed up as /etc/foobar.config.rpmsave
   It is necessary to inspect and merge these files manually. Usually, but not always, the packager makes a sensible choice as to whether the new, or old file is more appropriate. (diff or etc-update will help here.)
4. Read the Release Notes (2006) and Errata (2006) again - check for gotchas.
5. Check the configuration files of important packages, especially apache and sshd.
6. Are there any new or obsolete system services which should/shouldn't be running? Use chkconfig --list (or mcc).
7. Look for newer packages which may have bcome available and which you might like to install. (rpmdrake is most useful.)
8. Remove any old, unwanted kernels with urpme. (Don't do this until you are happy with the new one!)
9. Upgrade any non-distribution packages if desired/necessary.
   • Non-free: java, shockwave-flash (maybe acroread, realplayer ...)
   • Binary drivers (ugh!) eg the nvidia 3D driver.
   • Custom-compiled packages built from source. (remember, use checkinstall instead of make install.)
10. Recompile anything which depends on the kernel source. eg: ltmodem, kqemu, vmware, nvidia-driver.
11. Re-add packages to /etc/urpmi/skip.list as necessary. [Saving the kernel-source package is a good idea.]
12. Fix any other breakage! There shouldn't be any, but keep an eye out!

• You have used "rpm --force" at some point to install packages.
• You have installed rpms from an untrusted origin.
• You have installed rpms not specific for Mandrake.
• You have installed from source with "./configure && make && make install" (which bypasses the RPM database) as opposed to using instead of using "./configure && make && checkinstall" (which RPM is aware of).

• It downloads all needed rpm-packages.
• It tests the installation and provides quite clear error messages.
• It does not delete downloaded rpm-packages. (Note: this does mean that you need plenty of space in /var; if necessary, temporarily replace /var/cache/urpmi/rpms/ by a symlink to a directory with a few GB of space.)
• It does not change your current programs.
• When happy and you do not use "--test", as all the packages are already downloaded, your upgrade takes less time.

• Use tee and log files so that you have a convenient record of what you did!
• Urpmi caches downloaded files in /var/cache/urpi/rpms. So you can install RPMS directly from there.
• You can use --force with urpmi: this means "Answer yes to all questions". This can be dangerous, but if you have already used --test, and been happy, it may save time. [Note: urpmi's "--force" is much less potentially hazardous than rpm's "--force". ]

1. Have a destination partition (or partitions) ready. fdisk and mkfs.reiserfs iff necessary.
2. Bring the source system into runlevel 1: init 1. Start networking if required.
3. The directories in / are: bin/ boot/ dev/ etc/ home/ initrd/ lib/ mnt/ opt/ proc/ root/ sbin/ share/ spare/ sys/ tmp/ usr/ var/
4. On the target, these directories should be created empty: cd /spare; mkdir home mnt sys proc tmp
5. Copy these directories across: cp -a /bin /boot /dev /etc /initrd /lib /opt /root /sbin /usr /var /spare. (Or, use rsync -avz -e ssh).
6. Recreate the mountpoints in /spare/mnt.
7. Fix /spare/etc/fstab and /spare/etc/lilo.conf to reflect the new partition arrangement.
8. Also edit /etc/lilo.conf to add the kernel in the new root, and run lilo.
9. Reboot. In case you need to fix your bootsector, use Knoppix: see below. (This step is required if the destination is a different hard disk.)

1. Verify all the packages, using rpm -Va. In particular, look for "missing","5", and "Unsatisfied": rpm -Va | grep -Ei 'missing|5|unsatisfied'.
2. Note, some errors are usual, eg a modified config file, or permissions which have been changed by msec.
3. If a file is definitely damaged, find out which package it is in: urpmf FILENAME
4. Repair the file by forcibly uninstalling its package, then re-install: rpm -e --nodeps PACKAGENAME; urpmi PACKAGENAME.

1. Check rpm isn't currently running (use ps aux | grep rpm)
2. Remove stale lock files by doing rm -f /var/lib/rpm/__db* as root.
3. Rebuild the RPM database using rpm --rebuilddb

• Mandriva kernels usually include support for all hardware, and are compiled with almost everything as modules. This means that practically every device will be supported, but then in-memory portion of the kernel is not bloated. I have never yet found it necessary to compile a kernel!
• Mandriva kernels usually have quite a few patches applied (often backports from development kernels). However, the kernel-linus package is available if you want an unpatched one. The kernels come with various options. For example:
  • kernel-2.4.28.0.rc1.5mdk - kernel 2.4 (default)
  • kernel-2.6.12.14mdk - kernel 2.6 (default)
  • kernel-i586-up-1GB-2.6.12.14mdk - kernel 2.6 compiled for i586 (Pentium 1 only) with uniprocessor and support for upto 1GB RAM
  • kernel-i686-up-4GB-2.6.12.14mdk - kernel 2.6 optimised for i686 (Pentium 2,3,4) with uniprocessor and support for upto 4GB RAM. Use this on the A22p.
  • kernel-smp-2.6.12.14mdk - kernel 2.6 for SMP (multiprocessor). Most High-end Pentium 4s are dual-core, which counts as SMP.
  • kernel-linus-i686-up-4GB-2.6.15.rc7.4mdk-1-1mdk - Unpatched copy of Linus's kernel tree.
  • kernel-source-2.6 - kernel source for the most recent 2.6 kernel.
  • kernel-source-stripped-2.6 - stripped kernel source. You can compile against this, but cannot read the source code.
• To update the kernel, first install the kernel that is desired with urpmi. The new kernel will automatically be added into lilo.conf. Then, if desired, edit lilo.conf and set the "default" field to that kernel. Then run /sbin/lilo to write the boot sector. Easy.
• After updating the kernel, it is necessary to recompile/reinstall any binary drivers or custom kernel modules. Eg ltmodem, kqemu, vmware, nvidia
• A gotcha: urpmi will install multiple versions of the kernel without difficulty. However, it will only install one version of the kernel source. Urpmi --auto-select will update the kernel source, but not the kernel. So, if you regularly update packages with urpmi, you can end up with a kernel source package which does not match your currently running kernel. This means that, should you need to compile extra modules, you cannot do so. Solution: either upgrade the kernel, or downgrade the kernel-source, or compile extra modules sooner! It is worth adding kernel-source to /etc/urpmi/skip.list in order to stop urpmi doing this automatically!

• modprobe - insert/remove modules and dependencies. Eg modprobe pcspkr; modprobe -r pcspkr
• lsmod - list currently loaded modules.
• modinfo MODULENAMEM - get information about a module and its parameters.
• dmesg - view kernel messages.
• uname -a - print name of currently running kernel
• Look at the contents of /proc - the kernel's status information. Eg /proc/cmdline
• Look at the contents of /var/log/kernel/* - kernel information and errors.

1. Save the results of lsmod (and maybe lspci -vvv) somewhere. This tells you which modules you need!
2. Download the newest kernel from www.kernel.org/. Get the full version, not the patch. I downloaded 2.6.16.20.
3. See This FAQ on compiling.
4. Untar, or unzip the source.
5. Configure the kernel with make xconfig. I changed these values from the defaults:
   • Processor type and features -> Build arch: PentiumIII. Timer= 1000Hz
   • Do enable /proc/acpi/sleep (deprecated in favour of /sys/power/state)
6. The kernel configuration is saved in .config. Note that we loose Mandriva's bootsplash patch.
7. make. Wait a few hours. Then, as root, install the kernel:
   • make modules_install - Install the kernel modules into /lib/modules/kernel-2.6.16.20/
   • cp arch/i386/boot/bzImage /boot/vmlinuz-2.6.16.20 - Install the kernel itself.
   • cp System.map /boot/System.map-2.6.16.20
   • mv linux-2.6.16.20 /usr/src ; chown -R root:root /usr/src/linux-2.6.16.20/ - move the source into /usr/src/, so other modules can be built against it.
   • cd /lib/modules/2.6.16.20/ ; rm build source ; ln -s /usr/src/linux-2.6.16.20/ build ; ln -s /usr/src/linux-2.6.16.20/ source - correct the build and source symlinks.
8. Mandriva uses an initrd, so we need to create one: mkinitrd /boot/initrd-2.6.16.20.img 2.6.16.20
9. Edit /etc/lilo.conf and copy one of the existing stanzas. Here is mine:

   image=/boot/vmlinuz-2.6.16.20
           label="2.6.16.20"
           root=/dev/hda5
           initrd=/boot/initrd-2.6.16.20.img
           append="inotify resume=/dev/hda6 splash=verbose panic=60"
           vga=794
           read-only

10. If desired, change the default="" line at the top to match the new label="" line.
11. Then, run /sbin/lilo and reboot. Check everything works.
12. If you forgot a module, re-run make xconfig, make; make modules_install. If just adding a module, the compile will be very quick, and you shouldn't need to reboot. If you change a built-in driver, you need to rerun mkinitrd and lilo, then reboot.

• background program: sudo nice -n 19 updatedb
• important program: bash or sudo su

• Timeouts caused by the wrong hostname. If the machine doesn't have an entry for its own hostname and for localhost in /etc/hosts, then it will be unable to resolve its own name. This will result in a DNS timeout (about 10 seconds) before the application continues. This affects all X applications. This problem can also sometimes be caused by changing the hostname from within an X-session, whether manually, or by a daft (default) DHCP option.
• Many applications are now built with support for HAL/DBUS. If they are built against the wrong library, they will speak the "wrong" protocol, and the HAL error will take about 25 seconds to time-out. See above.
• Note that some applications, notably OpenOffice are just very "heavy", and are just rather slow to start - but you will see the CPU load being 100%.

• Don't run at 24 bit colour. There isn't enough graphics memory (so it seems) to run at 24-bit, with acceleration, and it will cause glxgears to drop to only 160 fps. Approx 780 fps is achievable when running at 16-bit. This is controlled by the DefaultColorDepth setting in xorg.conf.
• Don't install Mesa. Mesa allows you to do indirect rendering of OpenGL in software: excellent when there is no hardware support, but far less powerful than raw hardware. Interestingly, this won't seriously affect the performance of glxgears, but ppracer/stellarium will be totally unusable (2fps!). glxinfo provides some debugging information; this excellent page on DRI Troubleshooting has more details. If hardware acceleration is available, you should not have LibMesaGL installed. So, uninstall the Mesa-5.0.2-11mdk and libMesaGL1-5.0.2-11mdk packages.
  [Note: the libMesaGLU1-5.0.2-11mdk, libMesaglut3-5.0.2-11mdk and libMesaGLU1-devel-5.0.2-11mdk packages are innocent.]

• If it was working, and then you broke it:
  • For system packages, try verifying the installed packages with rpm -Va. See above. If necessary, uninstall (with rpm -e --nodeps and immediately re-install.
  • If it is an application, try removing $HOME/.applicationrc or $HOME/.application/. (Copy it first).
• If it was broken to begin with:
  • Check the package's bugzilla, and google, in case it is a known bug. Otherwise, file a bug report (both upstream with the author, and with mandriva).

• If the hard disk is slow, it is possible that DMA (direct memory access) is not enabled. Use hdparm /dev/hda to check the status. hdparm can also measure file-transfer performance hdparm -tT /dev/hda or change DMA settings hdparm -d 1 /dev/hda.
• Check the hard disk for errors. Smartctl is part of the SMART System monitoring and reporting tool system for Hard drives. These can detect impending failure, and hopefully warn you.
  • smartctl -l selftest /dev/hda - print the self-test log from the drive.
  • smartctl -a /dev/hda - print all information that the drive knows about itself.
  • smartctl -t long /dev/hda - begin a long selftest (about an hour). This can be run without unmounting the drive.
  • To set up automated monitoring, see here (and check that "mail root" is delivered to a human).
  • There is also a graphical utility, gsmartcontrol

• Installing another OS (eg Windows) on a different partition, and it messed up the bootloader.
• Ugrading the kernel without running lilo [but Mandriva normally does this automatically, when you use urpmi, so this is rare]
• Copying the hard disk (eg with rsync) onto a different disk or a new machine.

• Boot the damaged system up from CD with knoppix. Become root. (sudo su)
• Mount the hard disk (mount -o dev /mnt/hda1). The "-o dev" is very important; it is not the default for Knoppix.
• If necessary (it usually isn't), copy over knoppix's /dev directory. ONLY do this if /mnt/hda1/dev is empty. (cp -a /dev/* /mnt/hda1/dev/)
• Chroot into the target system. (chroot /mnt/hda1)
• Edit the target's lilo.conf if needed: (nano /etc/lilo.conf)
• Run lilo: (/sbin/lilo)
• Reboot.

• Look at the log files: dmesg, /var/log/boot.log, /var/log/messages, /var/log/kernel/*, /var/log/daemons/errors etc.
• the kernel messages, dmesg are particularly helpful.
• If it is a hardware problem, try compiling the latest kernel. If it's an application bug, try the latest version.
• Run the application from a terminal, so that the error messages (stderr and stdout) are visible. These are invisible when starting from the GUI (though they are appended to ~/.xsession-errors instead.)
• If necessary, you can watch what the program is doing with strace (print system calls), and ltrace (print libary calls).
• To see what process is using a particular file, use fuser and lsof. (as user root).
• To identify what processes are using the most CPU, use top. (keys: M - sort by memory usage (explanation); P by processor use; S cumulative CPU use.)
• vmstat reports memory usage, and swap/disk io bandwidth.
• Other useful tools include ps, pgrep, nice, ionice, netcat, lshal, lsusb, and digging around in /proc.
• Look at the source code. (A surprising number of programs are actually scripts).
• Look in the application's bugzilla, or google's Linux pages. (Google for the exact error message; Kdialog lets you select text, for this reason).
• Remember, once found, to document what you did, and file a bug report if relevant.

• Mandriva or Thinkpad Specific:
  • Mandrake Security Announcement list - for email notification of updates.
  • Mandriva 2006 Documentation - online (or install mandriva-doc-*)
  • Linux-Thinkpad.org - Linux on Thinkpads (in particular the excellent mailing-list)
  • ThinkWiki - Wiki with lots of Thinkpad information
• Linux on Laptops:
  • Linux-Laptop.net - Linux on laptops
  • TuxMobil.org - Linux on laptops
• General Linux information:
  • The Linux Documentation Project - all the HOWTOs.
  • Rute User's Tutorial and Exposition - detailed explanation of Unix internals.
  • A Mandrake 9.1 Howto - (old, but still useful).
  • IBM developerworks - lots of good tutorials.
  • Linux Home Networking
• Linux News:
  • Linux Weekly News - detailed technical news about Linux.
  • Linux Magazine - archived articles can be freely downloaded as .pdfs
  • Linux Gazette - free, online magazine with some tutorials.
• Search:
  • Google's dedicated Linux Search
• Miscellaneous:
  • Knoppix - bootable Linux demo/rescue CD
  • My other computing links, including humour.

• Figure out how to use the S-Video input and output that the Thinkpad has.
• Get IrDA to work without crashing.

• PC Speaker not working: Bug 13627. Trivial, finally fixed in 2008.1
• Prism54 firmware: Bug 17797. Not really a bug, just an irritation.
• X - EmulateWheelTimeout doesn't do anything: Bug 4291. Fixed in Xorg CVS. Fixed in 6.9.0
• X - Broken R128 driver: Bug 17958. Solution: use the ati driver instead.
• X = Must restart dm to make xorg changes take effect: Bug 18022. This is "Not a bug".
• Encryption - bug in initscripts (rc.sysinit) : Bug 17931. Still not fixed.
• Swapon race condition (need sleep in rc.sysinit): Bug 17802. Still not fixed.
• Swapon needs specific /dev/loopX: Bug 17803. Probably a kernel bug. Not fixed.
• Apm: suspend causes crash: solution is sync,chvt,kill -STOP X: Bug 17930. Still not fixed.
• /etc/bashrc (unset i): Bug 17799. Trivial, not fixed.
• /etc/profile fails to prevent core-dumps: Bug 19822. Fixed in Jan 2007.
• lircmd service starts after the dm service, so it can't be used as an IR mouse. Bug 20771. Fixed March 2007.
• Timidity-init doesn't play nice with alsa: Bug 17160. Complicated
• Irdadump panics kernel: Bug 20443. Being worked on. Fixed upstream.
• Kdialog converts \n to \n\n: Bug 111388. Trivial, not fixed. May be deliberate.
• Mozilla has wrong shortcut keys: Bug 18024. Default behaviour; not a bug (although I think it's a misfeature).
• Need to accept 2 different MAC addresses with WG511: Bug 21840.
• KDE Removable storage - dynamic devices with udev rules, permanent entries in fstab: Bug 126208