Ideal mobile text editing device redux As I read the responses¹ to my search for the ideal mobile text editing device, reality began to set in. The heating season is now upon us, and even used technology meeting my criteria would likely exceed my stated budget. Furthermore, I’d risk replacing my current issues with a whole new set of issues and end up with a less-than-ideal mobile text editing device. So I have rethought the problem and have decided it would be best to work on with what I have now while I wait for this ideal device to arrive on the market. Keyboard While I can’t change the keyboard of the ZR-5000, with a practiced lighter touch on the keys I can, in fact, touch-type passably well. It has served me well enough to draft several blog articles so far. Software Although not up to the high standard set by Vim, for quick note-taking, I don’t really need a fancy editor. My thoughts flow directly through my fingers into the device with only light editing. Cut-and-paste, motion keys and delete are the bare essentials. Anything more is a frill. Synchronization I do have an ACTiSYS IR-200L infrared dongle for my PC. The trouble is, although this is supported in Linux using IrDA, the ZR-5000 insists on speaking ASK-IR which is not supported. There is a Windows-only program, ZRLink, which might work. I’ll try it either on an XP system at work, (... mixed reviews out there as to whether it will work on recent Windows,) or under Wine. I can get the dialogs to display properly on Wine, but I have my doubts about whether serial emulation works. My initial tests at home under Wine indicate it doesn’t. (Could #277618 have something to do with this?) There is a 15-pin serial connector on the device, but I have no cable for it. And there’s a PCMCIA slot, but compatible devices are likely limited to older, harder-to-find components: either a 2M CF card or a modem card. While I have the latter, it exceeds the power available from batteries and I have no DC adaptor for the unit. Perhaps I overrate synchronization anyway. My best articles are rewritten from scratch more than once. Summary Living in an embarrassingly technology-rich country, it is too easy for a geek like me to convince himself that his gadget cravings are needs whereas, in fact, there is still plenty of life left in the devices he already has. After all, my venerable ZR-5000 was given to me by a fellow who figured if any one of his friends would still be able to use it for something, it would be me. Well, I won’t let him down. I’ll stick with it and make it work. There is one virtue of this device I doubt if any modern device of the same form factor can match. After a week of daily use, I still haven’t had to change the 2 ordinary AA NiMH batteries. Top that.

¹ Thanks, everyone, for your responses. Although there were the inevitable few that mentioned modern devices way over my budget, and I’ve decided now to stick with the ZR-5000, your suggestions did help me bring the real issues into focus.

Dear Lazyweb, I’m looking for a small, (easily fits on my lap on the cramped seat of a bus,) inexpensive, (around $100 CAD,) mobile text-editing device with a 90%-sized keyboard and decent battery life that runs an open source OS and Vim, and that I can sync to my desktop system. My first mobile device was a NEC PC-8201A, circa 1984. It ran on 4 AA NiCad batteries which I hardly needed to change more than once a week. At the time, it was my ideal mobile notetaking device. Its near-full-sized keyboard, Wordstar-compatible text editor, terminal program and serial interface allowed me to take notes which I would sync to my father’s Mac at home or to the VAX at the university. Today, my mobile computing needs have hardly changed: text editing is almost all I do. I don’t ask for much of a display, but as an 80 to 90 wpm touch-typist, I won’t settle for anything less than a near-full-sized keyboard. I’d prefer a system that runs Debian, and Vim is a must. Some means of easily synchronizing the device with my home system is necessary: PCMCIA wireless-B would be ideal, but is not a must-have. At the moment, I’m using an old Zaurus (not Linux-compatible) ZR-5000 which has good battery life but a very cramped keyboard, poor software, and no functional means of synchronizing the device to my PC. OK for jotting down quick notes, but frankly, I’d rather have my PC-8201A back again. I could at least type on it and sync it across the serial cable. I took a brief look at various Psion models, but they appear to be near-impossible to find. The HP Jornada 720 looks intriguing. And the NEC Mobilepro 780 appears to be another possibility. Have I overlooked anything? So, suggestions please.

I have been using powersave until recently, but I have gone from unhappy to fed up. I also have acpi-support and laptop-mode-tools and hell knows how they all interact. To add insult to the injury, powersave loves to crash or get stuck at times and dbus screws up at times too, which in turn screws powersave. Oh dear. So i have ditched powersave, left laptop-mode-tools and acpi-support around. And i wrote a perl script, i have called it "pm" to handle things i used powersave for. Primarily dpm (device power management) in linux, suspend to ram/disk, battery monitoring and friends. Right now it's ~250 LOC with comments, and more importantly, i know how it works. And it can do things powersave can't. So i am basically happy. It can suspend and resume pci devices (using id<->function mapping) and report their status. It has a very slim suspend wrapper, that just locks screen, syncs drives, remembers power states of pci devices and asks kernel to suspend. After resuming, it restores power states, does chvt voodoo to wake up my intel graphics and sets drive spindown timeout (something, somewhere screws this one up). I also added a "summary" output, that i run using watch on one of terminals in my screen session, that reports cpu frequency and scaling policy, system temperature, battery state (including charge/discharge rate in watts and remaining capacity in mAh), harddrive state (when spinning, also temperature and number of spinups in the drive's lifetime... if you know how to get those two without spinning up the drive, tell me). Then power states of devices (usb, ethernet, wlan, sound, modem, pcmcia, smartcard controller and isa bridge). And as a cherry on top, a list of processes and pids that have recently caused block reads from the drive (needs vm/block_dump enabled in kernel), so you can find out what caused drive spinup. That is about it, now for the catch. It works for me, it probably won't for you, at least not out of the box, unless you have same laptop as me. The pci ids of devices are hardcoded (although not hard to change near the top of the script), so is the screen lock function and probably a bunch of other things. It shouldn't be hard to make a similar script for your system using mine as a starting point though. Another thing that is missing is a nice reporter for KDE to be put on the panel or somesuch. Also, since the script is simplistic in its design, it assumes lots of things about both kernel (tested on 2.6.16 stock debian) and userspace utilities (acpi, hdparm, smartctl) and (oh, coarse-grained evilness), that you have sudo (needed for hdparm at least). Another assumption is that you have single battery and single cpu. But for all the limitations, it goes that if you are going to use a script like that, you probably know enough to extend it to multi-battery and/or multi-core situations. The script definitely needs a hacker-nature :-). So for the brave, the script is to be found on the pm page.

While evaluating Gallery, I noticed that my test web server generates wrong links inside the web application. After getting some help on the Gallery Forum, I was told that this was because my setup was miscreating REQUEST_URI to contain the entire URI, consisting of scheme, host name and path, while Gallery expects that variable to be only the path portion of the URI. Since REQUEST_URI is fine when I ask the web server running the application directly from the host in question, while accessing it from my local machine through an ssh tunnel (since the application web server is not going to be publicly visible on the Internet) yields the full URI in REQUEST_URI Unfortunately, neither is the PHP Documentation especially verbose (it just says that REQUEST_URI is “The URI which was given in order to access this page; for instance, ‘/index.html’.”) nor is the apache documentation formally defining REQUEST_URI (the closest to a definition being the documentation for mod_setenvif, which says that REQUEST_URI is “generally the portion of the URL following the scheme and host portion without the query string”). Did I miss a more formal documentation of apache/PHP’s behavior? Pointers appreciated. While I was writing this blog entry, which was a lot more angry in its first version, the Gallery guys finally acknowledged that apache and PHP are not sufficiently specifying REQUEST_URI and that I have delivered a valid example where there is a host part in REQUEST_URI. They’re going to work around this. Good news, thanks!

---

The promised fix is in gallery2 svn, I have applied the patch to my local version, and the application is fine now. Thanks!

Disclaimer: I am not comfortable with technical documents in my native language, German. I generally find German translations of technical stuff clumsy, overly complicated and badly worded. I might have a “special” feeling for the language, but some output of translators is just too bad to tolerate.For example, I constantly keep stumbling over the german translation of the Debian security team FAQ, which I consider horrendously badly done. Especially the use of the german word “Gutachten”, which basically means “opinion” in the legal sense (as the document produced by an expert called by a court of law) to translate “advisory” is a very very bad choice. My toes curl when I read the german version.In April 2005, I suggested to the German translation team to review the translation of the security team FAQ. I might not have chosen the right wording for that request, but besides a lot of flamage and “the translation is just fine”, I received the usual “send a patch”. Which I did in April 2005.No answer. In October 2005, I asked again, and received answer from the translator that my patch was just too intrusive. Well, a bad translation was rewritten, and the bad translation is still being used.Consequences for me? I’m not going to bother any more about German translations. English is just fine, and when somebody needs a German translation, I’m going to translate the stuff myself. Pointing people to the official German translations is just too embarrassing. A pity.

My notebook is an hp compaq nc8000 running Debian unstable, and I’d like to know whether it is “already” possible to use software suspend (hibernation). To my knowledge, there is a lot of different ways to do suspension, all of them differently broken and/or incompatible. I’t like to run with an unpatched vanilla kernel, use suspend-to-ram and suspend-to-disk according to my choice at suspend time, and have the notebook wake up with the X session unhampered and the important hardware (sound, synaptics) still useable. Additional bonus points if wireless and/or wired network remains useable and USB/PCMCIA devices don’t need an unplug/plug cycle. Which solutions should I investigate, which web pages should I read?

Following about a month of irregular activity, I just uploaded three source packages (along with related binary packages, of course) to Debian unstable: gforge (4.5.14-9), gforge-plugin-scmcvs (4.5.14-3), and gforge-plugin-scmsvn (4.5.14-2). I hope unstable will give them more exposure than experimental did. Plans for the future: I ll focus on getting these packages into testing, without too many changes if possible. I haven t managed to get dbconfig-common to work reliably (or at all) with PostgreSQL so far, so I ll consider the migration to its infrastructure as a nice option, but not a blocker. The problem is that it would make the install scripts simpler and (hopefully) more reliable if it worked. Again, help would be very much appreciated. (And yes, I will be submitting bug reports when I get some time to do some more thorough testing of dbconfig-common.)

...or, "Bits from a Gforge maintainer", if you'd like. After being neglected for way too long, the Gforge packages have finally started moving again. Packages for the most recent upstream release (4.5.14) are available in experimental, with quite a few improvements over the version currently in unstable:

• lots of improvements upstream, of course;
• no more sourceforge transitional package;
• source control management systems are now integrated via plugins rather than core code; existing plugins are gforge-plugin-scmcvs for CVS and -scmsvn for Subversion (both are in experimental);
• should support recent versions of PostgreSQL;
• default authentication scheme for users created through Gforge is now no longer LDAP (although it's still available for the masochistic); nss-pgsql is now preferred, with lots of benefits (not the least being that its configuration and setup are far less brittle);
• and lots more, thanks to Christian Bayle's work while I was busy doing something else.

From a Debian maintainer's point of view, my Gforge-related TODO list now mainly sports three items.

• First, rewrite some PHP code into Perl: the script in charge of bringing the database schema up-to-date, db-upgrade.pl, currently delegates some of its work to PHP scripts with system() calls. That's justifiable by the fact that these PHP scripts can use the Gforge code, classes and methods, but it makes the whole upgrading process fragile: for some reason, the system() calls sometimes fail without db-upgrade.pl noticing, and the process then just goes on with a broken DB instead of stopping right there with an error. Also, this is doomed to fail sometime: the Gforge classes used are the ones currently installed, which may or may not correspond to the database schema (remember we're in the middle of an upgrade, so the schema is moving). Since I want this db-upgrade.pl script to be unbreakable, I need to change that.
• In addition to that (or in parallel), I'd like to migrade the gforge packages to use the dbconfig-common infrastructure. It's supposed to be able to take on the tasks of database (and database user) creation, while still giving me a hook to plug db-upgrade.pl into.
• When the dbconfig-common migration is done, I'll probably spam^Wcontact the various translation teams, so the Debconf templates look good and consistent.

I suppose I could also try and migrate to the webapps-common framework, but I'll keep that for later. Of course, any help is welcome. Remember: the sooner I get the Gforge packages into a reasonable shape, the sooner they'll go to unstable, then testing, and the sooner I'll be backporting them to sarge, which means Alioth can be upgraded. But since I've heard a few complaints about Alioth being too damn slow or broken or whatever, I expect I'll get lots of patches (in bug reports, please) from disgruntled users eager to help.

Following about a month of irregular activity, I just uploaded three source packages (along with related binary packages, of course) to Debian unstable: gforge (4.5.14-9), gforge-plugin-scmcvs (4.5.14-3), and gforge-plugin-scmsvn (4.5.14-2). I hope unstable will give them more exposure than experimental did. Plans for the future: I’ll focus on getting these packages into testing, without too many changes if possible. I haven’t managed to get dbconfig-common to work reliably (or at all) with PostgreSQL so far, so I’ll consider the migration to its infrastructure as a nice option, but not a blocker. The problem is that it would make the install scripts simpler and (hopefully) more reliable if it worked. Again, help would be very much appreciated. (And yes, I will be submitting bug reports when I get some time to do some more thorough testing of dbconfig-common.)

After playing around with gnome-power-manager so that it can support spicctrl (which is to be done in hal, actually) to be able to adjust LCD brightness according to whether the AC adapter is plugged or not, I wanted to go a bit further in my quest for battery life. To be honest, I was already adjusting the LCD brightness with a custom acpid event script, but it’s still nicer to have it out of the box. Anyway, the main issue I remembered for battery life, apart from LCD backlight and Wi-Fi, is CPU power states. When on battery, the CPU in my laptop can handle 4 such states. From C1 to C4 (According to the acpi docs there’s actually a C0 state, so that’d make 5). But when on battery, the CPU never goes past level C2. I did some basic check a long time ago, by removing modules, and after removing Firewire, PCMCIA, and USB support, the CPU would go in C3 and C4 states. Though this definitely saves battery because it turns off parts of the computer, I wanted to know exactly what was sucking the CPU, and to keep at least USB, that I use more than the rest. After selectively removing the modules, it turns out the uhci_hcd support (USB1) is somehow responsible. Which is sad, because my USB mouse is USB1. But it also turns out there’s always a peripheral connected to the USB1 hub on my laptop. Indeed, the internal bluetooth support, which is activated at the same time as Wi-Fi, is connected internally through USB1. If I turn off Wi-Fi, it disconects the BT USB device. It appears that in this configuration, having uhci_hcd loaded doesn’t have an influence on the CPU. It still reaches C3 and C4 levels. Problem is I don’t want to turn off Wi-Fi. So, with the help of my friend google, I found out that it’s possible to unbind drivers from devices, and successfully unbound the USB port the BT device is connected to, without deactivating all the other (external) ports. The sad thing is that when doing such, it also automagically disables the Wi-Fi device (an ipw2200) IRQ, but modprobing ipw2200 again enables it without enabling the BT device. Next step was to find a way to have this set-up applied automatically at boot-time. I tried to add the following to my udev rules:
ACTION=="add", SUBSYSTEM=="pci", ID=="0000:00:1d.2", ENV UDEV_START ==1, OPTIONS="ignore_device"
which i’d have expected to do what i want, but it doesn’t. I also tried:
ACTION=="add", DRIVER=="uhci_hcd", RUN+="/bin/echo -n 0000:00:1d.2 > /sys/bus/pci/drivers/uhci_hcd/unbind"
which doesn’t work either. But:
ACTION=="add", DRIVER=="uhci_hcd", RUN+="/some/script/containing/the/previous/echo"
does. Well, it does work when you restart udev, but not when you reboot. Unfortunately, the initramfs (built with the initramfs-tools) loads a lot of modules, including USB. Meaning that udev doesn’t load these and doesn’t apply the rules then. Unless I write my own list of modules to load at boot time, initramfs-tools won’t produce a useful initramfs for my case. Yaird, on the other hand, did what I wanted it to do, except that it still lacks support for resuming from suspend-to-disk. In the end, I put a script in /etc/rcS.d. This script unbinds the uhci_hcd driver from the BT device port and re-modprobes ipw2200. I got a bad surprise, though. After a fresh startup, the CPU would be stuck on C2 state again. Remember how the OpenGL performance would drop if I switch to console and back to X ? It also turns out that it also makes the CPU able to reach C3 and C4 states. There seems to be something odd with the radeon driver…

…or, “Bits from a Gforge maintainer", if you’d like. After being neglected for way too long, the Gforge packages have finally started moving again. Packages for the most recent upstream release (4.5.14) are available in experimental, with quite a few improvements over the version currently in unstable:

• lots of improvements upstream, of course;
• no more sourceforge transitional package;
• source control management systems are now integrated via plugins rather than core code; existing plugins are gforge-plugin-scmcvs for CVS and -scmsvn for Subversion (both are in experimental);
• should support recent versions of PostgreSQL;
• default authentication scheme for users created through Gforge is now no longer LDAP (although it’s still available for the masochistic); nss-pgsql is now preferred, with lots of benefits (not the least being that its configuration and setup are far less brittle);
• and lots more, thanks to Christian Bayle’s work while I was busy doing something else.

From a Debian maintainer’s point of view, my Gforge-related TODO list now mainly sports three items.

• First, rewrite some PHP code into Perl: the script in charge of bringing the database schema up-to-date, db-upgrade.pl, currently delegates some of its work to PHP scripts with system() calls. That’s justifiable by the fact that these PHP scripts can use the Gforge code, classes and methods, but it makes the whole upgrading process fragile: for some reason, the system() calls sometimes fail without db-upgrade.pl noticing, and the process then just goes on with a broken DB instead of stopping right there with an error. Also, this is doomed to fail sometime: the Gforge classes used are the ones currently installed, which may or may not correspond to the database schema (remember we’re in the middle of an upgrade, so the schema is moving). Since I want this db-upgrade.pl script to be unbreakable, I need to change that.
• In addition to that (or in parallel), I’d like to migrade the gforge packages to use the dbconfig-common infrastructure. It’s supposed to be able to take on the tasks of database (and database user) creation, while still giving me a hook to plug db-upgrade.pl into.
• When the dbconfig-common migration is done, I’ll probably spam^Wcontact the various translation teams, so the Debconf templates look good and consistent.

I suppose I could also try and migrate to the webapps-common framework, but I’ll keep that for later. Of course, any help is welcome. Remember: the sooner I get the Gforge packages into a reasonable shape, the sooner they’ll go to unstable, then testing, and the sooner I’ll be backporting them to sarge, which means Alioth can be upgraded. But since I’ve heard a few complaints about Alioth being too damn slow or broken or whatever, I expect I’ll get lots of patches (in bug reports, please) from disgruntled users eager to help.

I doubt it... how often did you swear at guys that designed something?
Sometime I think that the guy that invented something extremely stupid and uncomfortable should be convicted to use it during rest of his life.
How long did he think before he figured out that the best place for headphones jack in my laptop would be front side of it? Now plugging there anything is very, very, very awkward and I really don't like wires around my navel using laptop while laying in bed.
Well... maybe it's some marketing hack, cause now I wonder about buying usb/pcmcia sound card ;)

Blog commenter James pointed out to me that the esteemed Mark Pilgrim has recently moved back to Linux for his desktop OS as well. Since Mark’s blog post doesn’t have to be conformed to fit conventions of a major technical publishing site, the style is more conversational. His take on the faux openness of the Mac platform is insightful. My favorite two paragraphs from the entry are the following:

I would like to point out that it is entirely Apple s choice that their operating system does not run on my new Lenovo ThinkCentre. I m not saying it was a bad business decision they are a hardware company, after all but it is particularly galling to realize that if I bought a new Mac, I would be subsidizing the development of an operating system that contains code whose sole purpose is to lock me into a specific hardware platform. I realize that most people don t look at it that way, but there it is.

In many ways, the tale of my switch is more of the same old story. Mac OS X was free enough to keep me using something that was not in my long-term best interest. But as I stood in the Apple store last weekend and drooled over the beautiful, beautiful hardware, all I could think was how much work it would take to twiddle with the default settings, install third-party software, and hide all the commercial tie-ins so I could pretend I was in control of my own computer. Beauty is in the eye of the beholder, and to my eye Apple isn t beautiful anymore. I ve worked around it or ignored it for a long time, but eventually the bough breaks.

Spot on, Mark. I still kick myself for thinking it perfectly normal at one time to have to own a PCMCIA network card just to be able to use WLAN with my Aluminum PowerBooks equipped with “Airport Extreme”. Deciding to “switch back” was almost like realizing I was in this relationship with someone who was taking without giving back, and using manipulative schemes to win my allegiance. Oh yeah, and more Mac zealot whinging in the comments, apparently enough for Mark to have turned off comments on that post.

Note: This article is part of my OS Install Experiences series.

OK, so let's start with something simple: Debian. Simple in the sense that there probably won't be too many surprises for me as a Debian developer (or for most readers of Planet Debian). For other people this might be interesting, though, and some facts are probably interesting to one or the other experienced Debian user/developer, too... Hardware A few words on the hardware I'll be installing all these OSes on. It's a cheapo (200 Euros) x86 PC (Intel Celeron, 2 GHz), 80 GB IDE hard drive, 256 MB RAM, ATI Radeon 9200 SE graphics adapter, Realtek PCI ethernet controller, CDROM, USB, and all the other standard stuff. Nothing fancy, really. Install

1. First, I downloaded a Debian sarge 3.1r2 CD image, burned it on a CD, and booted from that.
2. An installer menu showed up, where you can press F3 for boot options. I chose "expert26", which will ask me more questions and give me a 2.6 Linux kernel instead of 2.4.
3. The installer (newt-based, i.e. not graphical) will now start to boot a base Linux system.
4. Now, you can choose your language (used in the installer), country, region, and keyboard layout.
5. You'll be asked which additional kernel modules you want to load (default: all), and whether you want PCMCIA support. Also, you can choose which extra installer components should be loaded (LVM, PPP, serial, IrDA, ...).
6. Your hardware can be automatically detected (my Realtek card was successfully detected, the "8139too" kernel module was then loaded).
7. The network was successfully auto-configured via DHCP within seconds.
8. Now you can choose a hostname and domain name for the box. I used "hydra" as hostname (guess why), and "local.domain" as domain name.

Partitioning Now the funny part starts: partitioning the disk. As I will be installing >= 10 OSes, this needs a bit of consideration. I have chosen to create a 10 GB (primary) partition for a Redmond OS I'll be installing later (for games, testing, proprietary software I'm forced to use, and similar things). This will be the first partition and I marked it bootable, as Windows might choke otherwise. For the rest, I reserved 5 GB for each OS — that should do. So the next two (primary) partitions are 5 GB each. I'll leave these empty for now, as I might encounter obscure OSes which must be installed on primary partitions. Let's hope it won't be more than two ;-) As you can only have four primary partitions, I then had to create a logical partition, which will "contain" any further partitions. The next three (secondary) partitions are 1 GB each, intended to be used as swap. One of those I marked as swap in order to use it for Debian. Other Linux installations will be able to reuse this one. The other two are reserved in case I encounter OSes which have another form of swap and cannot use Linux swap partitions... The rest is easy: create twelve 5 GB partitions => lots of space for more OSes. Here's the resulting fdisk output:

Disk /dev/hda: 81.9 GB, 81964302336 bytes
255 heads, 63 sectors/track, 9964 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
      Device Boot      Start         End      Blocks   Id  System
   /dev/hda1   *           1        1216     9767488+  83  Linux
   /dev/hda2            1217        1824     4883760   83  Linux
   /dev/hda3            1825        2432     4883760   83  Linux
   /dev/hda4            2433        9964    60500790    5  Extended
   /dev/hda5            2433        2554      979933+  82  Linux swap / Solaris
   /dev/hda6            2555        2676      979933+  83  Linux
   /dev/hda7            2677        2798      979933+  83  Linux
   /dev/hda8            2799        3406     4883728+  83  Linux
   /dev/hda9            3407        4014     4883728+  83  Linux
   /dev/hda10           4015        4622     4883728+  83  Linux
   /dev/hda11           4623        5230     4883728+  83  Linux
   /dev/hda12           5231        5838     4883728+  83  Linux
   /dev/hda13           5839        6446     4883728+  83  Linux
   /dev/hda14           6447        7054     4883728+  83  Linux
   /dev/hda15           7055        7662     4883728+  83  Linux
   /dev/hda16           7663        8270     4883728+  83  Linux
   /dev/hda17           8271        8878     4883728+  83  Linux
   /dev/hda18           8879        9486     4883728+  83  Linux
   /dev/hda19           9487        9964     3839503+  83  Linux

Install, continued

1. The Debian partitioning tool allowed me to do all of the above via a friendly menu. As it does not modify the partition table until you say "done", I could revert many changes, and play around with different layout ideas until I was satisfied.
2. Next thing you can choose is the Kernel flavor (386, 686, smp).
3. You may now configure and install GRUB, the bootloader. I installed it at "(hd0)", the master boot record of the hard disk.
4. Soon the CD ejects, and you have to reboot.
5. After a restart (which also shows whether GRUB works fine), you can now choose your timezone, and decide whether you want shadow passwords (say yes!).
6. Now enter the root password, and decide whether you want to create an additional user account (say yes, and enter a different password here).
7. You can now configure apt, e.g. tell it which sources you'd like to use (CDROM, FTP, HTTP, ...). You'll be asked whether you want to install software from Debian's "non-free" archive. After choosing a mirror (and proxy settings, if you like), you can (should!) also say yes to the question whether you want security updates...
8. Finally, you may now choose "tasks" (desktop, web server, file server, ...) your machine should be able to perform; this will influence which packages will be installed. You may choose "manual package selection", of course, if you want more control. I used "desktop".
9. That's about it. You'll see a few more application-specific questions (configuration of MTA, ssh, fonts, X11, gdm, and others), and after that you'll be left with a GNOME login window.

Security I collected some (partly) security-relevant information after that.

• Portscan from another box:
  

  PORT    STATE SERVICE
  22/tcp  open  ssh
  111/tcp open  rpcbind
  113/tcp open  auth
  785/tcp open  unknown
  

  Not good. A default install should not have any ports open, IMHO. There are more daemons running: exim (port 25), and famd (port 771) for example. Those are fine however, as they only listen to the loopback interface and are not exposed to the Internet (eth0).
• Some permissions:
  

  drwxrwsr-x   3 root staff  4096 2006-05-17 22:48 /home
  drwxr-xr-x  11 uwe uwe     4096 2006-05-18 23:19 /home/uwe
  drwxr-xr-x  10 root root   4096 2006-05-17 23:43 /root
  drwxrwxrwt   8 root root   4096 2006-05-17 23:41 /tmp
  /dev:
  crw-rw----  1 root video    10, 175 2006-05-17 23:13 agpgart
  crw-------  1 root root      5,   1 2006-05-17 23:13 console
  crw-rw----  1 root audio    14,   3 2006-05-17 23:13 dsp
  brw-rw----  1 root floppy    2,   0 2006-05-17 23:13 fd0
  crw-rw-rw-  1 root root      1,   7 2006-05-17 23:13 full
  brw-rw----  1 root disk      3,   0 2006-05-17 23:13 hda*
  brw-rw----  1 root cdrom    22,  64 2006-05-17 23:13 hdd
  crw-r-----  1 root kmem      1,   2 2006-05-17 23:13 kmem
  crw-rw----  1 root root      1,  11 2006-05-17 23:13 kmsg
  crw-r-----  1 root kmem      1,   1 2006-05-17 23:13 mem
  crw-rw-rw-  1 root root      1,   3 2006-05-17 23:13 null
  crw-rw-rw-  1 root root      5,   0 2006-05-17 23:13 tty
  crw-rw----  1 root root      4,   0 2006-05-17 23:13 tty0
  crw-------  1 root root      4,   1 2006-05-17 23:24 tty1
  crw-------  1 root tty       4,   2 2006-05-17 23:13 tty[2-6]
  crw-rw----  1 root root      4,   7 2006-05-17 23:13 tty7
  [...]
  crw-rw----  1 root root      4,  63 2006-05-17 23:13 tty63
  crw-rw----  1 root dialout   4,  64 2006-05-17 23:13 ttyS*
  crw-rw-rw-  1 root root      1,   8 2006-05-17 23:13 random
  cr--r--r--  1 root root      1,   9 2006-05-17 23:13 urandom
  crw-rw----  1 root root      7,   1 2006-05-17 23:13 vcs*
  crw-rw-rw-  1 root root      1,   5 2006-05-17 23:13 zero
  

  Most of that looks sane to me (a "chmod 700 /home/uwe /root" would be nice, though), but maybe it can be tightened/secured a bit more? Ideas?
• Default users and shells:
  I installed some more popular applications (apache, mysql) to have more data.

  root:x:0:0:root:/root:/bin/bash
  daemon:x:1:1:daemon:/usr/sbin:/bin/sh
  bin:x:2:2:bin:/bin:/bin/sh
  sys:x:3:3:sys:/dev:/bin/sh
  sync:x:4:65534:sync:/bin:/bin/sync
  games:x:5:60:games:/usr/games:/bin/sh
  man:x:6:12:man:/var/cache/man:/bin/sh
  lp:x:7:7:lp:/var/spool/lpd:/bin/sh
  mail:x:8:8:mail:/var/mail:/bin/sh
  news:x:9:9:news:/var/spool/news:/bin/sh
  uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
  proxy:x:13:13:proxy:/bin:/bin/sh
  www-data:x:33:33:www-data:/var/www:/bin/sh
  backup:x:34:34:backup:/var/backups:/bin/sh
  list:x:38:38:Mailing List Manager:/var/list:/bin/sh
  irc:x:39:39:ircd:/var/run/ircd:/bin/sh
  gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
  nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
  Debian-exim:x:102:102::/var/spool/exim4:/bin/false
  uwe:x:1000:1000:,,,:/home/uwe:/bin/bash
  identd:x:100:65534::/var/run/identd:/bin/false
  sshd:x:101:65534::/var/run/sshd:/bin/false
  messagebus:x:103:104::/var/run/dbus:/bin/false
  hal:x:106:106:Hardware abstraction layer,,,:/var/run/hal:/bin/false
  saned:x:109:109::/home/saned:/bin/false
  gdm:x:104:110:Gnome Display Manager:/var/lib/gdm:/bin/false
  mysql:x:105:111:MySQL Server,,,:/var/lib/mysql:/bin/false
  

  Not too good, IMHO. Almost all system accounts have a valid shell instead of /bin/false or /usr/sbin/nologin. Most of those should not need one, and security-wise it's a lot better to not give them a valid shell. The good news is that many daemons (ssh, mysql, etc.) don't have a valid shell. Uh, why is "Debian-exim" capitalized? Update: That's why.
• Setuid/setgid files:
  

  # find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -ld ' ' \;
  -rwxr-sr-x  1 root tty 9784 2005-09-18 09:04 /usr/bin/wall
  -rwsr-xr-x  1 root root 22872 2005-05-18 08:33 /usr/bin/newgrp
  -rwxr-sr-x  1 root shadow 34488 2005-05-18 08:33 /usr/bin/chage
  -rwsr-xr-x  1 root root 28056 2005-05-18 08:33 /usr/bin/chfn
  -rwsr-xr-x  1 root root 28088 2005-05-18 08:33 /usr/bin/chsh
  -rwxr-sr-x  1 root shadow 16696 2005-05-18 08:33 /usr/bin/expiry
  -rwsr-xr-x  1 root root 34904 2005-05-18 08:33 /usr/bin/gpasswd
  -rwsr-xr-x  1 root root 26616 2005-05-18 08:33 /usr/bin/passwd
  -rwsr-xr-x  1 root root 34488 2002-01-18 09:13 /usr/bin/at
  -rwxr-sr-x  1 root tty 7992 2004-11-01 20:29 /usr/bin/bsd-write
  -rwxr-sr-x  1 root crontab 26872 2004-07-28 22:44 /usr/bin/crontab
  -rwxr-sr-x  1 root mail 9860 2004-06-04 17:21 /usr/bin/dotlockfile
  -rwsr-xr-x  1 root root 18136 2004-12-01 08:29 /usr/bin/traceroute.lbl
  -rwsr-xr-x  1 root root 809836 2006-03-10 12:19 /usr/bin/gpg
  -rwxr-sr-x  1 root mail 7764 2006-01-31 01:48 /usr/bin/mutt_dotlock
  -rwsr-sr-x  1 root lp 24184 2004-07-27 23:48 /usr/bin/lpq
  -rwsr-sr-x  1 root lp 22232 2004-07-27 23:48 /usr/bin/lprm
  -rwsr-sr-x  1 root lp 24440 2004-07-27 23:48 /usr/bin/lpr
  -rwsr-xr-x  1 root root 44024 2004-12-12 20:35 /usr/bin/mtr
  -rwsr-sr-x  1 root mail 71640 2005-03-01 16:37 /usr/bin/procmail
  -rwxr-sr-x  1 root mail 12712 2005-03-01 16:37 /usr/bin/lockfile
  -rwxr-sr-x  1 root ssh 57304 2004-11-28 16:33 /usr/bin/ssh-agent
  -rwsr-xr-x  1 root root 10894 2004-06-04 12:02 /usr/bin/fileshareset
  -rwsr-xr-x  1 root root 5144 2006-01-15 14:37 /usr/bin/kgrantpty
  -rwsr-xr-x  1 root root 5588 2006-01-15 14:37 /usr/bin/kpac_dhcp_helper
  -rwsr-xr-x  1 root root 98488 2006-03-20 23:03 /usr/bin/sudo
  -rwsr-xr--  1 root plugdev 19096 2005-05-18 15:47 /usr/bin/pumount
  -rwsr-xr--  1 root plugdev 26680 2005-05-18 15:47 /usr/bin/pmount
  -rwxr-sr-x  1 root nogroup 45600 2005-09-08 07:32 /usr/bin/kdesud
  -rwsr-xr--  1 root dip 575192 2005-05-24 09:18 /usr/bin/kppp
  -rwsr-xr-x  1 root root 544332 2005-04-08 15:53 /usr/bin/gpg2
  -rwxr-sr-x  1 root games 34872 2005-03-02 19:20 /usr/games/same-gnome
  -rwxr-sr-x  1 root games 57152 2005-03-02 19:20 /usr/games/gnomine
  -rwxr-sr-x  1 root games 65752 2005-03-02 19:20 /usr/games/gnome-stones
  -rwxr-sr-x  1 root games 70296 2005-03-02 19:20 /usr/games/mahjongg
  -rwxr-sr-x  1 root games 48952 2005-03-02 19:20 /usr/games/gtali
  -rwxr-sr-x  1 root games 36652 2005-03-02 19:20 /usr/games/gnotravex
  -rwxr-sr-x  1 root games 94200 2005-03-02 19:20 /usr/games/gnobots2
  -rwxr-sr-x  1 root games 28776 2005-03-02 19:20 /usr/games/gnotski
  -rwxr-sr-x  1 root games 42584 2005-03-02 19:20 /usr/games/glines
  -rwxr-sr-x  1 root games 61944 2005-03-02 19:20 /usr/games/gnibbles
  -rwxr-sr-x  1 root games 78096 2005-03-02 19:20 /usr/games/gnometris
  -rwsr-xr-x  1 root root 5668 2006-04-02 15:32 /usr/lib/pt_chown
  -rwxr-sr-x  1 root mail 10940 2006-03-13 14:30 /usr/lib/evolution/2.0/camel/camel-lock-helper
  -rwxr-sr-x  1 root utmp 9144 2005-03-09 18:21 /usr/lib/libvte4/gnome-pty-helper
  -rwsr-xr-x  1 root root 13304 2005-09-06 15:13 /usr/lib/apache/suexec.disabled
  -rwsr-xr-x  1 root root 668568 2006-04-11 14:33 /usr/sbin/exim4
  -rwsr-xr--  1 root dip 265880 2005-05-05 19:32 /usr/sbin/pppd
  -rwsr-xr--  1 root dip 29420 2004-09-30 04:13 /usr/sbin/pppoe
  -rwxr-sr-x  1 root lp 32248 2004-07-27 23:48 /usr/sbin/lpc
  -rwsr-sr-x  1 root root 7860 2005-09-02 00:44 /usr/X11R6/bin/X
  -rwsr-xr-x  1 root root 35512 2005-05-18 08:33 /bin/login
  -rwsr-xr-x  1 root root 23416 2005-05-18 08:33 /bin/su
  -rwsr-xr-x  1 root root 68440 2005-09-18 09:04 /bin/mount
  -rwsr-xr-x  1 root root 40920 2005-09-18 09:04 /bin/umount
  -rwsr-xr-x  1 root root 30764 2003-12-22 23:18 /bin/ping
  -rwsr-xr-x  1 root root 26604 2003-12-22 23:18 /bin/ping6
  -r-sr-xr-x  1 root root 15000 2004-06-28 20:39 /sbin/unix_chkpwd
  

  Quite a bunch, I'd say. The games are "only" "setgid games", but I'd really, really remove them on any production machine which should be halfway secure. Some of those binaries probably need the setuid/setgid bit (su, passwd, ...), but others probably don't. Maybe we should ship more of that non-setuid per default and add a note to the READMEs which tells the admin how he can make the apps setuid if he should want that?

Ok, so that's it for Debian stable. Unstable is 99% the same, except that you do a "vi /etc/apt/sources.list; apt-get update; apt-get dist-upgrade". I'll do that later maybe, compare the findings, and report notable differences here, but it shouldn't be too many (I guess). Not today, though, I need some sleep now. Comments, suggestions, flames? Update 2006-05-19: Updated "why is Debian-exim capitalized?" info as per comments, thanks!

Bah, as soon as I had root on dm-crypt working, the harddisk died. I wonder whether this is related to me putting in a PCMCIA network card, as many manufacturers have been using combined PCMCIA/IDE controllers, as the standards are pretty similar. Well, I'll try again tomorrow, but I don't have much hope.

After having some fun with madwifi-ng and hostap already, I decided to put the Atheros MiniPCI card I bought some months ago in my laptop to be able to use the cool madwifi-ng drivers there as well. Unfortunately after putting it in and booting you get that:

  1802: Unauthorized network card is plugged in -
  Power off and remove the miniPCI network card.

Some investigation brought up that this is caused he card's PCI-ID being checked against a whitelist in the BIOS. I liked IBM ThinkPads, and especially my X41, quite much so far, but this check hardly seems to have a technical background. It just forces people to buy IBM authorized cards.. Anyway, I wanted to use an Atheros card. So what were the possibilities? Buying a PCMCIA card with Atheros chip? No.. I already had an Atheros card around and wanted to use the integrated wifi. Some people reported that the check could be switched of by flipping a CMOS bit. That doesn't seem to work with my X41. I could still have flashed the BIOS with a version with a changed whitelist, but I didn't want to fuck up a 1,600 EUR laptop. Therefor I decided to change the PCI-ID of my card. Only 40 EUR would have been lost if I did it wrong. I found a nice article that explains how to do that very well. Basically you need to

• remove the MiniPCI wifi card
• switch the laptop on
• put the card in while the laptop is running (after the BIOS checks and before the Linux kernel boots)
• install madwifi
• use a special tool to change the PCI-ID to the ID of an authorized card
• hack the driver to recognize the card with the new PCI-ID
• go outside, enjoy the nice weather and hack

Life can be so easy.

FOSDEM 2006 This year, the days before FOSDEM were the stressful ones, as I got to organize accomodation. Initially, we wanted to have similar appartments as last year, but by the time I was less busy at uni to actually look into it, most of them were already booked, so we had to put up with a youth hostel instead. The positive sides of this were the much lower expenses and a location in the city centre, making us actually look at Bruxelles a bit in detail this time. "Us" were the Hurd people, including Martin "earliest Hurd adopter present" Michlmayr. I got to FOSDEM by car again, picking up Marcus Brinkmann, Neal Walfield and Olaf Buddenhagen on the way in Cologne. Finding the youth hostel seemed to be pretty hard as we just had a street address and a map without street names, but we managed to find it pretty quickly to my great surprise (driving around in Bruxelles usually ended up being a complete disaster over the last years). After a strange encounter with a Guillem Jover lookalike in front of the hostel, we met the other guys (Thomas Schwinge, Marco Gerards, Stefan Siegl and Ognyan Kulev) and had a discussion about Neal's and Marcus' plan to move to a persistent system. After dinner, I met the other Debian people in the Roi d'Espagne and hat some longer chats with Jeroen van Wolffelaar, Rob Bradford, Martin Michlmayr and Jordi Mallach, who I finally met for the first time and who did not cop out of FOSDEM this year as usual... The pub is getting more and more crowded each year, all the hackers barely fit even though they opened the balustrade this time as well. It was great to see everybody again and have a few beers. Martin and I then managed to find the way back to the hostel by foot. We had no developer room, and no talks in the Debian room either, so FOSDEM was a pretty relaxed event this year. I met some more familiar faces like Noel Koethe and Andreas Mueller and listened to a couple of talks, most notably Richard Stallman's and Jeff Waugh's keynotes and Hanna Wallach's talk about FLOSSPOLS. Stefan Siegl also managed to get GNU Mach working for both my 3Com PCMCIA NIC and my Orinoco PCMCIA WLAN card, confirming his title as Hurd "hacker of the month". On Saturday evening, we (at this time, Guillem Jover, Gianluca Guida, Bas Wijnen and Jeroen Dekkers had joined) had dinner with the french Hurd guys (Manuel Menal, Marc Dequenes, Richard Braun, Arnaud Fontaine and others) in an italian restaurant. At 10:40 PM, the waiter told us in a rather unfriendly tone that they would close at 11 and presented us with the bill, along with handing out the menu again so that we could look up our share. By the time the bill arrived the french part of the table (at 10:55 PM), the guys were pretty surprised by this whole business and complained loudly that they did not have a dessert yet and insistent on having one. After some more minutes of discussion, the waiter gave in and served their desserts, after which each of them paid his share with his carte bleue. I believe we left the restaurant around 11:30. On Sunday evening, we had dinner again (the french guys had left Bruxelles already) and then drove back to Germany after having desserts and coffee in a bar. We left Bruxelles at around midnight and arrived in Duesseldorf at 2:30 PM, so we were glad that Neal offered us to stay at his place. We had breakfast the next morning with him and Isabel and then I proceeded to drive back to Frankfurt in the early afternoon. FOSDEM rocked, as usual. After being with the Debian crowd for the first three years or so, and mostly sticking with the Hurd crowd last year, I think I managed a pretty good balance between the two this year. This will not have been my last FOSDEM.

Yeah, my Fujitsu laptop has been dying for a year or so, it's had surgery for power, batteries, hard drive, sound, etc, it's lost every bit that could break off and still have a usable laptop (all the suede on the bottom, the lid fasteners, the pcmcia blcker, the case around the base of the lid.. the still working pcmcia eject button is my one remaining sacrificial breaky bit). It's got the marks to prove cats love it, along with all the results of throwing it in my book bag and taking off with no concern for carrying a laptop around. The screen has 4 or 5 dead pixels and recently one faint patial dead scan line. The lid is getting worryingly wobbly. The CD drive was once crushed in an airplane and then banged back into shape so it still fits in the machine and even ejects OK. I've rubbed the letters right off some of the keys on the keyboard. The speakers turned black and exuded some glue or something long ago during a hot summer, one of them is barely audible. The headphone jack broke. Oh and the laptop is also abused regularly by programs like firefox and openoffice that really didn't expect to run on a 900 mhz crusoe. All that, I can live with. The laptop bears its marks with pride, and amazingly, people still occasionally ooh and awe at it. Although more likely from a bit of a distance these days. The newest wrinkle is that I'm beginning to exceed the design specs for the keyboard. Apparently they just didn't design for it to be used so much. First some keys stopped working half the time on some days, yeilding the famous irc sessions where joeyh tlks without ny A's. Then the Function key's membrane stopped pushing it back up, so it always appears pressed, though still works. Now the Alt key is going the same route and the right side ofthespacebardoesn't work, leadingtoircsessions whereItalklike this. And it just feels like I can't touch type on it half the time anymore. A new keyboard is $100 or more. I think it's time to retire this to a d-i test machine and start looking for a new latop.

---

I looked at the IBM X-41 again, really like it, but still can't get past the low res display and fan. Especially with some reports that the fan runs constantly in linux. I looked at all the stuff on dynamism, but wasn't impressed enough to consider it. At the moment the Fujitsu P7120 is looking mighty appealing. Hey, it's even got the suede bottom again. And no fan.. Only problem is it has a touchpad.

This took a bit too much work to figure out so here it is. If you're like me and had to buy a usb sound card (nearly as sensible a name as a cable modem) since the laptop's onboard headphone jack broke, and would like to have that card used by default when it's plugged in, but otherwise have builtin card be used, create an /etc/udev/rules.d/00_local.rules containing:

# Default to using additional (USB) sound cards when they are available.
KERNEL=="pcmC[D0-9cp]*", ACTION=="add", PROGRAM="/bin/sh -c 'K=%k; K=$$ K#pcmC ; K=$$ K%%D* ; echo defaults.ctl.card $$K > /etc/asound.conf; echo defaults.pcm.card $$K >>/etc/asound.conf'"
KERNEL=="pcmC[D0-9cp]*", ACTION=="remove", PROGRAM="/bin/sh -c 'echo defaults.ctl.card 0 > /etc/asound.conf; echo defaults.pcm.card 0 >>/etc/asound.conf'"

Only programs started after the sound card is plugged in will use it of course, and this might not work if you have it plugged in while booting.