OpenBSD Stable ISO

The OpenBSD project distributes a binary base system and packages, built from sources at release time. Any security issues or stability fixes after release require sources to be rebuilt by the end user. While this may not be much of an issue with either small deployments or fast systems. Occasionally there might be a need to build your own Stable ISO for repeated installation, or quick installation into low end systems (netbooks?). The procedure at hand is reasonably well documented, if slightly dispersed.

For this tutorial I’ll presume you have dedicated a specific multicore AMD64 machine for the purpose of building this Stable ISO, targeting an AMD64 or i386 build. Adjust where required for your own purposes. I’d recommend against execting this procedure on production systems though.

Most steps in this tutorial will take between 5-10 minutes on vaguely recent hardware (Core 2 Duo), unless noted otherwise.

First do a basic install of OpenBSD (6.0 in our particular example). I’d highly recommend to enable NTP for time syncing and perform custom disk slicing, so you have plenty of place in /usr, because you will need it.

Step 1: Preparing sources

Login as regular user, and then su to root. The name of this regular user (and the FQDN) will show up in your newly built kernel’s dmesg.

Then get all the source OpenBSD source tarball and unpack them accordingly.

cd /usr
signify -C -p /etc/signify/ -x SHA256.sig ports.tar.gz
signify -C -p /etc/signify/ -x SHA256.sig sys.tar.gz
signify -C -p /etc/signify/ -x SHA256.sig src.tar.gz
signify -C -p /etc/signify/ -x SHA256.sig xenocara.tar.gz
cd /usr/src
tar xzf ../sys.tar.gz
tar xzf ../src.tar.gz
cd /usr
tar xzf xenocara.tar.gz
tar xzf ports.tar.gz

These are the unpatched release sources, so we’ll need to update them from CVS.

cvs -qd get -rOPENBSD_6_0 -P src
cvs -qd get -rOPENBSD_6_0 -P xenocara
cvs -qd get -rOPENBSD_6_0 -P ports 

Remove the old release source tarballs, and generate new updated source tarball.

rm SHA256.sig
rm ports.tar.gz
rm xenocara.tar.gz
rm sys.tar.gz
rm src.tar.gz
tar czf ports.tar.gz ports
tar czf xenocara.tar.gz xenocara
cd /usr/src
mv sys ..
tar czf ../src.tar.gz .
cd /usr
tar czf sys.tar.gz sys
rm -Rf src sys xenocara ports
mkdir /usr/src
cd /usr/src
tar xzf ../src.tar.gz
tar xzf ../sys.tar.gz
cd /usr
tar xzf xenocara.tar.gz
tar xzf ports.tar.gz


Step 2: Building sources

First we’ll need to build and install an updated kernel:

cd /usr/src/sys/arch/i386/conf
cd /usr/src/sys/arch/i386/compile/GENERIC.MP
make clean && make
cd /usr/src/sys/arch/i386/compile/GENERIC.MP
make install

Make sure you’ve rebooted your system after having installed the new kernel, then login as your regular user again and su to root.

Next we’ll build (~1hour) and install an updated userland.

rm -rf /usr/obj/*
cd /usr/src
make obj
cd /usr/src/etc && env DESTDIR=/ make distrib-dirs
cd /usr/src
make build

Again make sure you’ve rebooted your system after having installed the new userland, then login as your regular user again and su to root.

Next we’ll build (~1hour) and install an updated Xenocara.

cd /usr/xenocara
rm -rf /usr/xobj/*
make bootstrap
make obj
make build


Step 3: Building a release

After having rebooted login as a regular user once again and su to root.

Then build a release like so.

export DESTDIR=/usr/dest
export RELEASEDIR=/usr/rel
cd /usr/src/etc
make release
cd /usr/src/distrib/sets
sh checkflist

Then we do the same for Xenocara.

export DESTDIR=/usr/xdest
export RELEASEDIR=/usr/rel
cd /usr/xenocara
make release


Step 4: Building Ports (optional)

Optionally you can build some ports, to include on your Stable ISO, for example…

cd /usr/ports/security/gnupg
env FLAVOR= make install
cd /usr/ports/shells/bash
make install
cd /usr/ports/editors/nano
make install
cd /usr/ports/www/links+ 
env FLAVOR=no_x11 make install
cd /usr/ports/net/wget
make install
cd /usr/ports/net/rsync
make install
cd /usr/ports/archivers/unzip
make install
cd /usr/ports/devel/gmake
make install
cd /usr/ports/lang/go
make install
cd /usr/ports/devel/git
make install

And so on…

You’ll note we’ve been using make install as opposed to make package, as make package won’t pull in dependencies that don’t matter at build-time, but likely will prevent the package from installing properly if missing.

Step 5: Create an ISO image

Prepare and populate a CD root tree.

mkdir -p /usr/cd/etc
echo 'set image /6.0/i386/bsd.rd' > /usr/cd/etc/boot.conf
mkdir -p /usr/cd/6.0/i386
cd /usr/cd
cp /usr/rel/* /usr/cd/6.0/i386
cp /usr/*.tar.gz /usr/cd/6.0

The release set include a miniature iso that merely includes the installation ramdisk which doesn’t make much sense to include on a full Stable ISO, so optionally we’ll remove that.

cd /usr/cd/6.0/i386
rm cd60.iso 
rm SHA256; cksum -a sha256 * > SHA256

Then optionally add checksums for the source tarballs.

cd /usr/cd/6.0
rm SHA256; cksum -a sha256 *.tar.gz > SHA256

Optionally add the packages built from ports.

mkdir -p /usr/cd/6.0/packages/i386
cp /usr/ports/packages/i386/all/*.tgz /usr/cd/6.0/packages/i386

Then optionally add checksums for the packages built from ports.

cd /usr/cd/6.0/packages/i386
rm SHA256; cksum -a sha256 * > SHA256

And finally build the ISO image.

cd /usr/cd
mkhybrid -v -a -r -L -l -d -D -N \
         -sysid OPENBSD \
         -V OPENBSD \
         -volset OPENBSD \
         -p "PREPARER NAME" \
         -P "PUBLISHER NAME" \
         -b 6.0/i386/cdbr \
         -c 6.0/i386/ \
         -o ../unofficial-openbsd-stable-6.0.5-20160903-i386.iso .

Since OpenBSD 5.5, both the base system and packages are signed for proper releases, the result of the above procedure will produce an unsigned base system and packages, resulting in (expected) signature warnings during installation.

Step 6: Burn

Once you have your freshly mastered ISO, you can burn it to your favorite brand of CD-R:

cdio -f cd0c tao -s 8 unofficial-openbsd-stable-6.0.4-20160903-i386.iso

And don’t forget to buy the official release media if you use OpenBSD in any significant capacity, as the project can really use your support.

Upstart: don’t mess with the rc job

Recently I’ve been fiddling a bit with Upstart, and in general I’m positive about the experience. Upstart offers a lot of flexibility and simple but very welcome features like real service supervision with respawning capabilities. There are a few downsides:

Relatively few SysV init scripts have been converted to Upstart jobs. This is logical since there are a lot of scripts to convert and all of them need testing before considering them production ready. That said, the progress over time in this area isn’t particularly overwhelming either.

Upstart is much harder to troubleshoot when unexpected things happen, this is to a degree inherent to Upstart’s parallel/event-based nature. Adding the following options to your kernel parameters does help a bit: ‘nosplash INIT_VERBOSE=yes init=/sbin/init noplymouth -v’.

As far as I know there is no way to have SysV init scripts depend on Upstart jobs. While this was to be expected since this is pretty hard to implement sensibly. But considering my first point (the fact that lots of SysV scripts still have be converted), this can be annoying. My advice, don’t fiddle with the the rc job! I did, and it gave me grief (Upstart hung on reboots), causing me to waste a day figuring out what went wrong. If you need a SysV script to depend on an Upstart job, remove the SysV script and convert it to an Upstart job yourself.

Preseed LDAP via Debconf on Ubuntu Lucid

As some of you may know configuring LDAP on Ubuntu Lucid can be a bit of a pain in the ass, especially getting it consistent throughout your infrastructure. So here’s way to relatively easily configure LDAP via Debconf preseeding.

First install debconf (it’s likely already installed, but doublecheck this):

# apt-get install debconf

Then put the following lines into debconf-ldap-preseed.txt so we can feed it to debconf later (obviously you need to adapt this configuration file to your own situation):

ldap-auth-config    ldap-auth-config/binddn    string    cn=proxyuser,dc=yourdomain,dc=com
ldap-auth-config    ldap-auth-config/bindpw    password    
ldap-auth-config    ldap-auth-config/dblogin    boolean    false
ldap-auth-config    ldap-auth-config/dbrootlogin    boolean    true
ldap-auth-config    ldap-auth-config/ldapns/base-dn    string    dc=yourdomain,dc=com
ldap-auth-config    ldap-auth-config/ldapns/ldap-server    string    ldap://
ldap-auth-config    ldap-auth-config/ldapns/ldap_version    select    3
ldap-auth-config    ldap-auth-config/move-to-debconf    boolean    true
ldap-auth-config    ldap-auth-config/override    boolean    true
ldap-auth-config    ldap-auth-config/pam_password    select    crypt
ldap-auth-config    ldap-auth-config/rootbinddn    string    cn=manager,dc=yourdomain,dc=com
ldap-auth-config    ldap-auth-config/rootbindpw    password    
libnss-ldap    libnss-ldap/binddn    string    cn=proxyuser,dc=yourdomain,dc=com
libnss-ldap    libnss-ldap/bindpw    password    
libnss-ldap    libnss-ldap/confperm    boolean    false
libnss-ldap    libnss-ldap/dblogin    boolean    false
libnss-ldap    libnss-ldap/dbrootlogin    boolean    true
libnss-ldap    libnss-ldap/nsswitch    note    
libnss-ldap    libnss-ldap/override    boolean    true
libnss-ldap    libnss-ldap/rootbinddn    string    cn=manager,dc=yourdomain,dc=com
libnss-ldap    libnss-ldap/rootbindpw    password    
libnss-ldap    shared/ldapns/base-dn    string    dc=yourdomain,dc=com
libnss-ldap    shared/ldapns/ldap-server    string    ldap://
libnss-ldap    shared/ldapns/ldap_version    select    3
libpam-ldap    libpam-ldap/binddn    string    cn=proxyuser,dc=yourdomain,dc=com
libpam-ldap    libpam-ldap/bindpw    password    
libpam-ldap    libpam-ldap/dblogin    boolean    false
libpam-ldap    libpam-ldap/dbrootlogin    boolean    false
libpam-ldap    libpam-ldap/override    boolean    true
libpam-ldap    libpam-ldap/pam_password    select    crypt
libpam-ldap    libpam-ldap/rootbinddn    string    cn=manager,dc=yourdomain,dc=com
libpam-ldap    libpam-ldap/rootbindpw    password    
libpam-ldap    shared/ldapns/base-dn    string    dc=yourdomain,dc=com
libpam-ldap    shared/ldapns/ldap-server    string    ldap://
libpam-ldap    shared/ldapns/ldap_version    select    3
libpam-runtime    libpam-runtime/profiles    multiselect    unix, ldap

Now we feed the above file to debconf:

# cat debconf-ldap-preseed.txt | debconf-set-selections

And finally we need to switch nss to include LDAP lookups:

# auth-client-config -p lac_ldap -t nss

Optionally make sure homedirs are created on login:

# echo -e 'session required\t\t\' >> /etc/pam.d/common-session

One of the other advantages is that this may also benefit future upgrades, since all the settings are preseeded through debconf it’s less likely a future update/upgrade will break your setup. This is purely speculative since I haven’t done any actual upgrades yet.


Installing Debian Squeeze on a Yeeloong Netbook

As most of you have already noticed I have a Yeeloong netbook and I read that it’s actually possible to install Debian Squeeze on it, even though Squeeze officially doesn’t support the Yeeloong or the Loongson processor. Fortunately the install doesn’t involve anything too scary. The Debian mipsel binaries are o32 binaries not really optimized for a particular CPU, which means they will run on lots of CPUs (not unlike how the i386 binaries run on most x86 processors). The Loongson 2F processor has all instructions to be MIPS III compliant, which is enough for the Debian binaries. So where is the problem then? It’s with the kernel, Debian doesn’t provide any linux kernel images for the Loongson CPU and even more particularly the Yeeloong Netbook.

Basic Installation

I’ve built a kernel image and kernel package for general use on the Yeeloong which is also capable of booting the Malta Debian installer. To actually use them download all three, and put them in the root of an ext2 formatted USB stick. Then plug the USB stick into your Yeeloong and make sure it has wired Ethernet connectivity. Then start the Yeeloong and press Del during bootup to enter PMON (it’s BIOS alternative). In PMON you need to enter the following commands:

load /dev/fs/ext2@usb0/vmlinux-
initrd /dev/fs/ext2@usb0/initrd.gz

If you use an older kernel you also need to pass the ‘console=tty’ and ‘no_auto_cmd’ parameters to the g command.

If all went well you’ll notice the Debian installer starting, and prompting you with it’s first questions. Select your preferred language, location, locale, keyboard layout, hostname, domainname, Debian archive mirror & proxy information.

If all went well, you’ll notice the Debian installer complaining it hasn’t found any (matching) kernel modules, and it’ll ask you if you want to proceed without. We’ll answer Yes, since everything critical has been monolithically compiled into my custom kernel.

Next, setup your root password and an initial user account.

Now we’re entering the partitioning tool, which will complain with a scary red dialog that my custom kernel is missing Software RAID and LVM support, which we really don’t need. Select continue for both warnings.

Now we’ve really entered the partition tool, and you’ll notice two devices the (probably) FUJITSU 160GB harddisk, and the USB stick, make sure you don’t touch the USB stick (sdc). Then select the FUJITSU (sda) harddisk and press enter, which will effectively erase the whole disk, and reinitialize the disk with a new partition table. The partitioning tool will complain that it does not know the partition table type for the Loongson architecture. Select the familiar msdos partition table type. Next create a new partition, 1GB, primary, beginning, make sure it’s used as the ext2 file system otherwise your yeeloong won’t boot, with a /boot mount point and relatime,sync mount options. When you’re done setting up the first “special” boot partition. We can create a new swap partition: 2GB, primary, beginning, use as swap area. With that done, we can create a new root partition: 17GB, primary, beginning, use as ext4 journaling file system, mount point / , mount options relatime. And last we can create a new home partition: 140GB, primary, beginning, use as ext4 journaling file system, mount point /home, mount options relatime. Now finish and write the changes to disk.

You’ll notice the Debian installer downloading packages and installing them. At some point it will complain no installable kernel was found, and if you want to continue without a kernel. Yes you do.

Now only a few things are left, software selection, where I usually unselect everything, and bootloader installation, where the installer will complain it can’t install any. We don’t care as the Yeeloong doesn’t need a bootloader at all. So we continue.

When we (next) get the “Finish the installation” dialog, we do not continue immediately. Instead we press Ctrl+Alt+F2 and Enter (to active the console). Now we need to manually install a kernel package, to do so enter the following commands:

mount /dev/sdc1 /mnt
cp /mnt/linux-image- /target/root
umount /mnt
chroot /target /bin/bash
dpkg -i /root/linux-image-
cp /boot/vmlinux- /boot/vmlinux

Then press Ctrl+Alt+F1 to return to the installer and finally press continue to reboot. During the reboot press Del to enter PMON once again, since we need to tell PMON about our new installation:

set ShowBootMenu "no"
set al "/dev/fs/ext2@wd0/vmlinux"
set arg "root=/dev/sda3"

Now you should see your Yeeloong reboot again, and booting into your new Debian Squeeze installation.

Installing extra utilities

Your new clean installed Debian system isn’t very useful yet, so you’ll need to add some extra software. One of the things I usually do is disable the installation of “Recommended” packages, these are a kind of soft dependancy, this is how packages pull along other packages which aren’t strictly required, but are usually nice to have but sometimes are utterly useless (and clutter up your system). So to disable the automatic installation of Recommends do the following as root:

echo 'APT::Install-Recommends "false";' > /etc/apt/apt.conf.d/99synaptic

Whenever you install a new package apt will tell you what it’s Recommends would have been, I highly recommend you to inspect the Recommended packages to see if they would be useful to you.

Now, let’s install a bunch of packages I always like to have handy:

apt-get install alsa-base alsa-utils autoconf automake build-essential \
                libncurses5-dev autotools-dev binutils bison \
                busybox-static bzip2 cdbs command-not-found coreutils \
                cpio curl debhelper devscripts dpkg-dev fakeroot file \
                findutils flex fortune-mod fortunes-debian-hints g++ \
                gcc gdb gfortran git-core gnupg gobjc grep gzip \
                iproute less lftp links lsof m4 make mtr-tiny nano \
                openssh-client patch pciutils usbutils procps psmisc \
                quilt rsync screen sharutils sl smartmontools splint \
                subversion sudo telnet tftp-hpa unzip util-linux wget \
                wpasupplicant xz-utils

This will take a while to install, but it’ll leave you with a very functional base system.

Installing Basic X11

Before installing X11 there are a couple of considerations. First I would highly recommend using my optimized pixman packages (though Debian’s own pixman will work). Next you’ll have to choose between an optimized SiliconMotion driver and using Xorg via the kernel framebuffer. If you need video playback you should use the optimized SiliconMotion driver, if you don’t you might want to consider sticking with the linux framebuffer driver, since with it, tty switching will be smoother, and you won’t need patched Xorg packages. And last but not least you’ll need to choose a login manager. I highly recommend SLiM, though Debian’s version is a tad buggy, I have a fixed package available as well (with GNOME Keyring integration for Network Manager).

My repository has the following mipsel components available: linux, pixman, slim, thinice, ufraw, xorg. To use my repository with the optimized pixman, fixed SLiM login manager, my customized ThinIce theme and updated ufraw, execute as root:

echo 'deb squeeze linux pixman slim thinice ufraw' > /etc/apt/sources.list.d/pcode.list
apt-get update
apt-get install xserver-xorg xserver-xorg-input-evdev \
                xserver-xorg-input-mouse xserver-xorg-video-fbdev \

Installing XFCE

Now we have a very basic X11 setup, we probably want a decent desktop environment as well. To get a basic but functional XFCE installation:

apt-get install xfce4-panel xfce4-session xfce4-settings xfce4-terminal \
                xfce4-utils xfdesktop4 xfwm4 xfwm4-themes thunar \
                network-manager-gnome libpam-gnome-keyring thinice-noble \
                gnome-noble-icon-theme gnome-keyring seahorse gtk2-engines \
                ttf-liberation ttf-dejavu-core gsfonts ghostscript

If you like my old school UNIX like ThinIce-Noble theme, you can download my skel files here, and install them to be used with newly created users:

cd /etc/skel
tar zxvf /root/xfce-thinice-noble-skel.tar.gz

Installating Applications

Obviously without applications your new desktop is useless, just some quick tips:

apt-get install iceweasel geany abiword xarchiver
apt-get install gimp gimp-plugin-registry gimp-resynthesizer gimp-ufraw
Have fun.

ThinIce Noble (Compact)

On my Yeeloong netbook I’m running XFCE because it’s a tad more lightweight than GNOME. Considering the Yeeloong’s resources, a lot of modern themes can be a bit heavy, so after some testing I went with the ThinIce theme. Out of the box the ThinIce theme isn’t so great. Firefox/Iceweasel don’t look so great with it (an issue with text field background colors). The scrollbars are too thin. The gray isn’t neutral (this is a personal pet-peeve). And the default blue selection color isn’t too my liking too. The main problem with the default blue selection color is that there is no matching icon theme. So I went with the GNOME Noble icon theme and took the icon’s theme’s base purple tint as as a selection color for ThinIce. The next problem which is true for pretty much all GTK themes is that they waste a lot of screen real-estate, which is actually a good thing is you have a big display, big buttons and lots of spacing makes things look good and easier to use. However on a netbook this isn’t soo great. So I had to shrink down my ThinIce theme a bit. The result:

If you like the theme, you can get the sources here, and a nice architecture independent Debian package here. I’ve even put the configuration files online here, which you can put in your /etc/skel to get everything configured by default for every new user which is added to your system.

Most Modern LCD Panels Are BGR Instead Of RGB

UPDATE: I think I screwed up here. I still need to reinvestigate this.

Recently I purchased a nice cheap USB microscope, when I bought the thing I wasn’t sure if it would actually work with Linux, but in the end everything turned out fine as it’s a UVC camera, so it’ll work fine with for example Cheese.

Now, using that USB microscope, turning the LED lighting off, I took a look at several of my displays, here’s a sample from my cheap HP laptop, which has a cheap Samsung panel in it:

As you might note the subpixel configuration isn’t RGB, but it’s actually BGR (Blue, Green Red). And that certainly made me curious, was my laptop one of those exceptions? So I checked out my decent HP display (which has an LG IPS panel), and it has a BGR subpixel configuration too. Next up I checked my Yeeloong netbook, and guess what, it has a BGR subpixel configuration too.

Some of you might wonder why I’m talking about subpixels? Please don’t forget that a single pixel is comprised of three subpixels, one for each primary color. This is also why the subpixels aren’t square, since each pixel comprised of three subpixels should be approximately square.

Now the silly thing is, I actually changed the subpixel rendering in my font settings, but I can’t say I liked the BGR rendering better than the RGB rendering. I’m not sure why this is, I haven’t really looked into that yet.

Upgrading the Lemote Yeeloong’s RAM

I own a Lemote Yeeloong which is sold with 1GB of RAM, which is fine for normal use. But since I do regularly compile stuff having a bit more RAM for caching would be very nice.

Now when you open up the Yeeloong you’ll note it has a single DDR2 SODIMM slot populated with a 1GB 667mhz A-Data module.

I tried replacing it with random Hynix 2GB 667mhz module and the Yeeloong wouldn’t boot at all. I’ve contacted the vendor to ask if it’s possible to upgrade the Yeeloong at all, and if so, if any requirements need to be met.

UPDATE: In the meantime I received a mail from Gilbert Fernandes who informed me that the memory in the Yeeloong should always be single rank (most typical 2GB modules aren’t). Since I don’t have 2GB single rank modules lying around, so I haven’t been able to test this.

Lemote Yeeloong 8089

Unlike the past, the current reality is that all desktop hardware is x86 based, when we go back into the past let’s say mid ’90s or even earlier, each vendor had it’s own architecture preference.

I only got into computing well after x86 had asserted it’s dominance. And everything non-x86 was particularly pricey. I’ve always wanted some non-x86 hardware, but back then it was practically out of reach, at least the current hardware was.

Now more than ten years later, old SGI hardware is affordable, but then again, you have to dedicate half a desk to a machine you’d only use for fun…

Now as some of you might have noticed the Chinese are actually reviving the MIPS architecture beyond the embedded realm. The Chinese have been steadily working on their own homegrown MIPS chip called the Loongson / Godson / Dragon CPU.

The first Godson never was available for purchase outside of China, but a company called Lemote has made various systems based on the Godson II chip.

Their dutch/european distributor Tekmote actually has a promotional sale of their Yeeloong netbook. So I decided to buy one. A nice MIPS netbook is much more convenient than dedicating a desk to an old SGI machine, and more importantly the Godson architecture is alive as apposed to dying.

I’ve been fiddling with the machine for almost a month now, here are a few observations. The Yeeloong with it’s 900mhz Loongson 2F (Godson II), isn’t nearly as fast as a modern Intel Atom. And the Silicon Motion graphics chip is lamentable when compared to an Intel GMA. That said it’s still a functional netbook, and more importantly it’s not x86 🙂

The default heavily modified Debian install isn’t great either. Thus far I tried OpenBSD 4.8 on it which works but a lot of ports don’t work, but I’ve been hearing good things about OpenBSD 4.9 to be released in a month or so. Then I tried Gentoo on it, which works pretty well with some inconveniences. The Gentoo-MIPS team has been extremely helpful (thanks guys). Then I found out that it’s possible to install Debian Squeeze’s mipsel port (with a home-baked kernel) on the Yeeloong. And true to form Debian works extremely well. I’ll probably be documenting the installation procedure later on.

In the end I’m quite happy with the Yeeloong, it’s a fun device to fiddle with, especially considering almost everything is open source, no blobs required. Even it’s BIOS/Firmware called PMON is open source.

Basic OpenType support in

Yay, I completely missed that finally supports OpenType fonts… Only basic support though, all the real OpenType candy isn’t properly supported yet. It’ll probably take another ice age to pass before will properly support OpenType.

However without Sun or Oracle holding it back LibreOffice may stand a better chance of staying up to speed on current technology.

Encoding Theora using ffmpeg

So, there is ffmpeg2theora which you want use to easily encode to Ogg/Theora/Vorbis, however you can use plain ffmpeg too which offers a bit more flexibility in some ways. For example you can embed Theora and Vorbis into a Matroska container, which should have an index, which could make seeking easier (in theory).

So for an example, the following commandline encode a source video file, into a DVD quality (720×576 anamorphic widescreen resolution), using a “Long” GOP of 15 which again should make seeking more efficient, although it will increase filesize):

# ffmpeg -i input.mp4 -s 720x576 -aspect 16:9 \
         -vcodec libtheora -g 15 -qscale 8 \
         -acodec libvorbis -ac 2 -aq 6 \
         -sn output.mkv

It’s just an example you can customize to hearts desire.