| *** brault has quit IRC | 00:00 | |
| *** edmondsw has quit IRC | 00:00 | |
| *** gouthamr has joined #openstack-meeting-cp | 00:13 | |
| *** markvoelker has quit IRC | 00:30 | |
| *** fredli__ has joined #openstack-meeting-cp | 01:07 | |
| *** gouthamr has quit IRC | 01:13 | |
| *** aselius has quit IRC | 01:22 | |
| *** gouthamr has joined #openstack-meeting-cp | 01:30 | |
| *** yamahata has quit IRC | 01:35 | |
| *** lbragstad has quit IRC | 01:44 | |
| *** edmondsw has joined #openstack-meeting-cp | 01:44 | |
| *** edmondsw has quit IRC | 01:48 | |
| *** markvoelker has joined #openstack-meeting-cp | 02:31 | |
| *** gouthamr has quit IRC | 02:34 | |
| *** yamahata has joined #openstack-meeting-cp | 02:34 | |
| *** diablo_rojo has joined #openstack-meeting-cp | 02:35 | |
| *** markvoelker has quit IRC | 03:04 | |
| *** dklyle has quit IRC | 03:12 | |
| *** david-lyle has joined #openstack-meeting-cp | 03:31 | |
| *** edmondsw has joined #openstack-meeting-cp | 03:32 | |
| *** nhelgeson has quit IRC | 03:36 | |
| *** edmondsw has quit IRC | 03:37 | |
| *** fredli__ has quit IRC | 03:45 | |
| *** markvoelker has joined #openstack-meeting-cp | 04:01 | |
| *** david-lyle has quit IRC | 04:06 | |
| *** david-lyle has joined #openstack-meeting-cp | 04:08 | |
| *** dklyle has joined #openstack-meeting-cp | 04:15 | |
| *** brault has joined #openstack-meeting-cp | 04:16 | |
| *** david-lyle has quit IRC | 04:18 | |
| *** brault has quit IRC | 04:21 | |
| *** markvoelker has quit IRC | 04:34 | |
| *** MarkBaker has quit IRC | 04:41 | |
| *** brault has joined #openstack-meeting-cp | 04:46 | |
| *** brault has quit IRC | 04:50 | |
| *** edmondsw has joined #openstack-meeting-cp | 05:20 | |
| *** knikolla has quit IRC | 05:22 | |
| *** edmondsw has quit IRC | 05:24 | |
| *** markvoelker has joined #openstack-meeting-cp | 05:32 | |
| *** brault has joined #openstack-meeting-cp | 05:44 | |
| *** brault has quit IRC | 05:48 | |
| *** markvoelker has quit IRC | 06:05 | |
| *** brault has joined #openstack-meeting-cp | 06:05 | |
| *** brault has quit IRC | 06:10 | |
| *** hemna__ has quit IRC | 06:43 | |
| *** coolsvap has joined #openstack-meeting-cp | 06:54 | |
| *** markvoelker has joined #openstack-meeting-cp | 07:02 | |
| *** edmondsw has joined #openstack-meeting-cp | 07:08 | |
| *** diablo_rojo has quit IRC | 07:12 | |
| *** edmondsw has quit IRC | 07:13 | |
| *** brault has joined #openstack-meeting-cp | 07:25 | |
| *** markvoelker has quit IRC | 07:36 | |
| *** brault has quit IRC | 07:40 | |
| *** brault has joined #openstack-meeting-cp | 07:49 | |
| *** markvoelker has joined #openstack-meeting-cp | 08:33 | |
| *** edmondsw has joined #openstack-meeting-cp | 08:57 | |
| *** edmondsw has quit IRC | 09:01 | |
| *** markvoelker has quit IRC | 09:06 | |
| *** markvoelker has joined #openstack-meeting-cp | 10:03 | |
| *** yamahata has quit IRC | 10:21 | |
| *** MarkBaker has joined #openstack-meeting-cp | 10:28 | |
| *** MarkBaker has quit IRC | 10:33 | |
| *** markvoelker has quit IRC | 10:38 | |
| *** edmondsw has joined #openstack-meeting-cp | 10:45 | |
| *** edmondsw has quit IRC | 10:49 | |
| *** MarkBaker has joined #openstack-meeting-cp | 10:49 | |
| *** brault has quit IRC | 11:31 | |
| *** markvoelker has joined #openstack-meeting-cp | 11:35 | |
| *** MarkBaker has quit IRC | 11:55 | |
| *** brault has joined #openstack-meeting-cp | 11:56 | |
| *** edmondsw has joined #openstack-meeting-cp | 11:57 | |
| *** markvoelker has quit IRC | 12:08 | |
| *** markvoelker has joined #openstack-meeting-cp | 12:59 | |
| *** brault has quit IRC | 13:09 | |
| *** brault has joined #openstack-meeting-cp | 13:09 | |
| *** gouthamr has joined #openstack-meeting-cp | 13:15 | |
| *** knikolla has joined #openstack-meeting-cp | 13:23 | |
| *** felipemonteiro has joined #openstack-meeting-cp | 13:35 | |
| *** felipemonteiro_ has joined #openstack-meeting-cp | 13:36 | |
| *** MarkBaker has joined #openstack-meeting-cp | 13:37 | |
| *** felipemonteiro has quit IRC | 13:40 | |
| *** zhipeng has joined #openstack-meeting-cp | 13:57 | |
| *** felipemonteiro_ has quit IRC | 14:10 | |
| *** zhipeng has quit IRC | 14:11 | |
| *** zhipeng has joined #openstack-meeting-cp | 14:12 | |
| *** lbragstad has joined #openstack-meeting-cp | 14:13 | |
| *** felipemonteiro has joined #openstack-meeting-cp | 14:41 | |
| *** felipemonteiro_ has joined #openstack-meeting-cp | 14:42 | |
| *** felipemonteiro has quit IRC | 14:46 | |
| *** zhipeng has quit IRC | 14:54 | |
| *** zhipeng has joined #openstack-meeting-cp | 14:54 | |
| *** xyang1 has joined #openstack-meeting-cp | 14:54 | |
| *** aselius has joined #openstack-meeting-cp | 15:00 | |
| *** zhipeng has quit IRC | 15:05 | |
| *** zhipeng has joined #openstack-meeting-cp | 15:05 | |
| *** hemna__ has joined #openstack-meeting-cp | 15:15 | |
| *** coolsvap has quit IRC | 15:27 | |
| *** brault has quit IRC | 15:41 | |
| *** brault has joined #openstack-meeting-cp | 15:45 | |
| *** yamahata has joined #openstack-meeting-cp | 15:47 | |
| *** zhipeng has quit IRC | 15:48 | |
| *** zhipeng has joined #openstack-meeting-cp | 15:49 | |
| *** gagehugo has joined #openstack-meeting-cp | 15:50 | |
| *** blancos has joined #openstack-meeting-cp | 15:59 | |
| lbragstad | startmeeting policy | 16:00 |
|---|---|---|
| lbragstad | #startmeeting policy | 16:00 |
| openstack | Meeting started Wed Aug 16 16:00:47 2017 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot. | 16:00 |
| openstack | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 16:00 |
| *** openstack changes topic to " (Meeting topic: policy)" | 16:00 | |
| openstack | The meeting name has been set to 'policy' | 16:00 |
| lbragstad | ping raildo, ktychkova, rderose, htruta, hrybacki, atrmr, gagehugo, lamt, thinrichs, edmondsw, ruan_he, ayoung, morgan, raj_singh, johnthetubaguy, knikolla, nhelgeson | 16:00 |
| gagehugo | o/ | 16:01 |
| lbragstad | o/ | 16:01 |
| lbragstad | #link https://etherpad.openstack.org/p/keystone-policy-meeting | 16:01 |
| felipemonteiro_ | o/ | 16:01 |
| blancos | o/ | 16:01 |
| edmondsw | o/ | 16:01 |
| felipemonteiro_ | lbragstad: i know i didn't get back to you on mailing list but thanks for the feedback, it helped | 16:01 |
| lbragstad | felipemonteiro_: sure thing! | 16:02 |
| lbragstad | we don't have much on the agenda today - so we can go ahead and get started | 16:03 |
| lbragstad | #topic global roles | 16:03 |
| *** openstack changes topic to "global roles (Meeting topic: policy)" | 16:03 | |
| lbragstad | knikolla: and i met on monday to go through the existing PoC that's up | 16:03 |
| lbragstad | and we came up with a road map of what needs to happen to get it into PoC shape for the PTG | 16:04 |
| lbragstad | we documented it here | 16:04 |
| lbragstad | #link https://etherpad.openstack.org/p/keystone-global-roles-poc | 16:04 |
| cmurphy | o/ | 16:04 |
| lbragstad | I'll be working on step 1 this week and my goal is to have the refactor passing tests by EOW | 16:04 |
| *** Guest20591 is now known as cFouts | 16:04 | |
| lbragstad | knikolla: plans to jump in and help out once RC2 is out the door - which will be EOW as well | 16:05 |
| lbragstad | if there is anything you'd like to add to the etherpad that improves the PoC - let me know | 16:05 |
| lbragstad | or if the work sounds interesting and you want to help out | 16:05 |
| lbragstad | let me know - i'm happy to coordinate | 16:05 |
| edmondsw | tx lbragstad | 16:06 |
| lbragstad | yep! i'm looking forward to the work | 16:06 |
| edmondsw | I'll look over the etherpad today | 16:06 |
| lbragstad | edmondsw: thanks | 16:06 |
| lbragstad | #topic policy at the PTG | 16:07 |
| *** openstack changes topic to "policy at the PTG (Meeting topic: policy)" | 16:07 | |
| lbragstad | i have a dedicated time setup at the PTG to help projects with moving policy into code | 16:09 |
| lbragstad | if you're project needs help here - let me know | 16:09 |
| lbragstad | or sign up on the etherpad | 16:09 |
| lbragstad | #link https://etherpad.openstack.org/p/policy-queens-ptg | 16:10 |
| lbragstad | Still waiting on a room assignment - but this will most likely be happening on the cross-project days (monday and tuesday) | 16:10 |
| lbragstad | #topic open discussion | 16:11 |
| *** openstack changes topic to "open discussion (Meeting topic: policy)" | 16:11 | |
| lbragstad | floor is open | 16:11 |
| edmondsw | lbragstad added a couple more questions in the global roles etherpad | 16:14 |
| lbragstad | looks like we can get some time back - thanks for coming! | 16:14 |
| lbragstad | edmondsw: ack | 16:14 |
| lbragstad | edmondsw: want to discuss them here? | 16:14 |
| edmondsw | up to you | 16:14 |
| lbragstad | we have the time | 16:14 |
| edmondsw | sure | 16:14 |
| edmondsw | 4.1... you say "new attribute to olso.policy"... but 4 is supposed to be nova changes (3 is oslo.policy), so that seems out of place or misworded | 16:15 |
| lbragstad | yeah - it probably is, trying to think of what made me justify that | 16:15 |
| lbragstad | now that i think about it | 16:15 |
| edmondsw | feel free to remove my question when you clean it up | 16:15 |
| lbragstad | nova work probably means hacking around the scope check? | 16:16 |
| lbragstad | or making it so nova consumes the proper attributes from oslo.policy/oslo.context? | 16:16 |
| edmondsw | nova work might be fairly involved, at least for a full implementation... maybe just fix a few things for a demo | 16:16 |
| lbragstad | yeah - that's what i was thinking | 16:16 |
| lbragstad | i wouldn't be surprised if that turned into a rabbit hole | 16:17 |
| edmondsw | remember they have their main scope check buried in a non-obvious place in the db code | 16:17 |
| lbragstad | so maybe part of that is figuring out "just how much you have to muck with nova to get the demo to work" | 16:17 |
| edmondsw | yeah :) | 16:17 |
| lbragstad | edmondsw: maybe that's not entirely bad | 16:18 |
| lbragstad | i mean - sure | 16:18 |
| lbragstad | validation should probably not be done in the database, | 16:18 |
| lbragstad | but there is nothing preventing us from short-circuiting the check in higher layers | 16:19 |
| edmondsw | yeah, we'll have to see... might give you one place to change, if you can figure out how | 16:19 |
| lbragstad | yeah | 16:19 |
| edmondsw | well not one... there are others... that's the main one though | 16:19 |
| edmondsw | and what about using observer in the demo? We don't have an observer role defined in any policy yet, so are you going to do a bunch of custom policy to show that? | 16:20 |
| edmondsw | seems like you might want to just stick to admin and member for this demo | 16:20 |
| lbragstad | edmondsw: i wasn't planning on doing a bunch of policy changes - i was more or less writing an outline for what would be an effective demo | 16:21 |
| edmondsw | otoh, customizing policy to create an observer role shouldn't be too hard | 16:21 |
| lbragstad | (because everyone seems to really gravitate towards the observer role case) | 16:21 |
| edmondsw | yep, definitely | 16:21 |
| lbragstad | i figured using that would help people understand how things work since they already have a solid understanding of it because they want it | 16:21 |
| edmondsw | definitely.. just making sure you realize there is work to be done there that has nothing to do with global scope really | 16:22 |
| edmondsw | would totally be useful if we did that work | 16:22 |
| lbragstad | right - it's something that helps illustrate the global scope thing | 16:22 |
| lbragstad | "if i apply the observer role global, Bob should be able to see all instances across all projects" | 16:23 |
| lbragstad | s/global/globally/ | 16:23 |
| edmondsw | yep | 16:23 |
| lbragstad | edmondsw: good last point | 16:25 |
| lbragstad | yes - it will require a migration | 16:25 |
| lbragstad | (role migration) | 16:25 |
| lbragstad | maybe show before and after? | 16:25 |
| lbragstad | this is Bob and Bob has an admin role on a project - which unfortunately gives him god-mode everywhere | 16:26 |
| lbragstad | then explain that Bob needs the admin role scoped globally to maintain the things he needs to do to admin his cloud | 16:26 |
| edmondsw | lbragstad yeah, we'll have to talk about backward compat, which probably means opt-in | 16:27 |
| lbragstad | if a user has admin on a project but shouldn't be doing things globally - then they get fixed automatically | 16:27 |
| lbragstad | yeah | 16:28 |
| edmondsw | and interop | 16:28 |
| lbragstad | about 5.6.2 | 16:28 |
| lbragstad | that's going to require rework in each of the services | 16:28 |
| edmondsw | yep, totally | 16:28 |
| lbragstad | each project needs to go through and rework their classification of an operation to fit into multiple scoped | 16:29 |
| lbragstad | scopes* | 16:29 |
| edmondsw | not sure if you want to try to do a little of that to demo it here or leave that for later | 16:29 |
| lbragstad | if someone is trying to create an instance using a globally scoped token, nova should catch it in validation and reject it | 16:29 |
| edmondsw | only if we decide we don't want to allow that | 16:29 |
| lbragstad | i'll defer to the nova folks | 16:30 |
| lbragstad | since i assume they have more stake in that | 16:30 |
| edmondsw | we could also decide that we do want to allow it, and just make the caller pass the project_id in the POST body | 16:30 |
| lbragstad | since it would break backwards compatibility | 16:30 |
| edmondsw | the new attribute would just require a new microversion | 16:30 |
| lbragstad | we typically had a pretty hard stance on not having certain things floating around globally | 16:31 |
| lbragstad | (that also seems to introduce new edge cases in limits and quotas) | 16:31 |
| edmondsw | what do you mean? | 16:32 |
| lbragstad | what if you have instances that are owned globally (not associated to a project) | 16:32 |
| edmondsw | I'm not suggesting you be able to create something that's global... rather than you can create something that's scoped to a project using a token that is scoped globally | 16:32 |
| lbragstad | ohh | 16:32 |
| lbragstad | nevermind | 16:32 |
| edmondsw | just like you can view something that's scoped to a project using a token that's scoped globally | 16:32 |
| lbragstad | yeah - we can totally bring that up to the projects at the ptg | 16:33 |
| lbragstad | that might help ease the token scope confusion problem | 16:33 |
| edmondsw | lbragstad reworded to clarify | 16:33 |
| lbragstad | (do i need a project scoped token to do X or do i need a globally scoped token?) | 16:34 |
| edmondsw | exactly | 16:34 |
| lbragstad | that also might be answered by a capabilities endpoint after 3.3 is done | 16:34 |
| edmondsw | talking to our UI guys (PowerVC has a custom UI, not horizon), they hate the idea of having to get a different token for each project in order to present a global view | 16:34 |
| lbragstad | yeah | 16:35 |
| lbragstad | i think horizon feels the same way | 16:35 |
| edmondsw | I would expect so | 16:35 |
| lbragstad | but gyee mentioned the pain of having to constantly wonder what the required scope is for an opertion | 16:35 |
| lbragstad | operation* | 16:35 |
| lbragstad | 3.3 might fix that for us with a consistently exposed endpoint | 16:36 |
| edmondsw | what's happening with 3.3? | 16:36 |
| edmondsw | what's 3.3? | 16:36 |
| lbragstad | i think i figured out why i put that under nova owrk | 16:36 |
| lbragstad | let me grab an example | 16:36 |
| *** yamahata has quit IRC | 16:36 | |
| lbragstad | #link https://github.com/openstack/keystone/blob/master/keystone/common/policies/endpoint.py#L18-L23 | 16:37 |
| lbragstad | what if we added something ^ there to do this: | 16:38 |
| lbragstad | http://paste.openstack.org/show/618561/ | 16:38 |
| lbragstad | which would render the scope for a given api with the documentation or sample policy files | 16:38 |
| lbragstad | but it would also make the scope available to advertise through a capabilities api | 16:39 |
| lbragstad | libraries and clients would be able to programmatically determine what scope is required for an operation by inspecting the document provided by a capabilities API | 16:40 |
| edmondsw | I was rather thinking we avoid the issue by not limiting APIs to a specific scope | 16:40 |
| edmondsw | e.g. the create thing... let folks create using a token with either project or global scope | 16:41 |
| *** zhipeng has quit IRC | 16:41 | |
| *** zhipeng has joined #openstack-meeting-cp | 16:41 | |
| edmondsw | the thing they're creating might still be project-scoped... maybe what you're suggesting comes in there? | 16:41 |
| lbragstad | well - today the project is pulled from the token in those cases | 16:42 |
| edmondsw | right... and I would assert we need to fix that | 16:42 |
| lbragstad | ah | 16:42 |
| edmondsw | making people get tokens scoped a certain way to do certain things is onerous and unnecessary | 16:43 |
| edmondsw | (or rather, should be unnecessary) | 16:43 |
| lbragstad | this would add another condition to scope checking | 16:43 |
| lbragstad | but i understand the usability arguments | 16:43 |
| edmondsw | you should be able to do or not do things based on your role and whether the scope of what you're trying to do is equal to or within the scope of your token, period | 16:43 |
| edmondsw | then you don't need to be making statements about scope for every individual API | 16:44 |
| edmondsw | and the UI teams will cheer! :) | 16:44 |
| lbragstad | the only thing about that statement that doesn't apply today is the "within" bit | 16:44 |
| edmondsw | right... because we don't have global roles yet | 16:45 |
| edmondsw | so it didn't apply | 16:45 |
| edmondsw | but now it will | 16:45 |
| lbragstad | ok - counter argument | 16:45 |
| lbragstad | once all this stuff is working and inplace | 16:46 |
| lbragstad | does this make compromised admin-tokens too dangerous? | 16:46 |
| edmondsw | more than they already are? no | 16:46 |
| edmondsw | the opposite, actually | 16:46 |
| lbragstad | hence the already working part | 16:46 |
| lbragstad | (one of the arguments i've heard for scoping is that it limits the damage of a compromised token to a single project) | 16:47 |
| edmondsw | today, a compromised admin token won't let you create except in one project, sure, but it will let you view/update/delete in all, and those things are worse | 16:47 |
| lbragstad | but a compromised admin token are all of what we discussed is in place, would allow someone to create instances anywhere | 16:48 |
| edmondsw | tomorrow, with global roles and ability to create with such, yes, a compromised global admin token will be slightly more powerful (can create) but that's only negligibly worse because view/update/delete are the things you really worry about first and foremost | 16:48 |
| edmondsw | and you'll have far fewer such tokens than project-scoped admin tokens, so the chances of compromise are reduced | 16:49 |
| edmondsw | if someone can delete things but can't create, I don't feel any better than if they could both delete and create | 16:49 |
| edmondsw | I'll say "they can delete! nooooo!!!" | 16:50 |
| edmondsw | and forget about create | 16:50 |
| edmondsw | :) | 16:50 |
| edmondsw | lbragstad right? | 16:50 |
| lbragstad | yeah - that makes sense | 16:50 |
| lbragstad | i need to ponder this a bit more | 16:51 |
| edmondsw | sure | 16:51 |
| lbragstad | i like how it eases usability of scoping though | 16:51 |
| *** zhipeng has quit IRC | 16:52 | |
| lbragstad | edmondsw: anything else on the etherpad you want to cover? | 16:53 |
| edmondsw | I think that's it for now... thanks for this! | 16:54 |
| lbragstad | yeah - i hope it helps get things in order to the PTG | 16:54 |
| lbragstad | i'd say if we get through 5 - we're doing well | 16:54 |
| edmondsw | very | 16:54 |
| lbragstad | cool - anything else for open discussion? | 16:55 |
| edmondsw | and, with a short agenda, we took the full hour :) | 16:55 |
| lbragstad | i know it | 16:55 |
| lbragstad | kinda nice | 16:55 |
| lbragstad | edmondsw: do we want to save bringing this up to the nova folks until the ptg? | 16:55 |
| lbragstad | the project_id thing? | 16:55 |
| edmondsw | for create APIs? | 16:55 |
| lbragstad | i was debating a thread to kickstart policy discussions | 16:55 |
| edmondsw | yeah, without johnthetubaguy there I don't know how interested the rest are in all this | 16:56 |
| lbragstad | hoping it will help us be more productive while we're in denver | 16:56 |
| lbragstad | johnthetubaguy: is supposedly going to be in Denver | 16:56 |
| edmondsw | it shouldn't hurt to throw something on the ML and see if we get any response | 16:56 |
| edmondsw | awesome | 16:57 |
| lbragstad | ok - i'll mention it when i start spamming folks about policy early next week | 16:57 |
| lbragstad | alright - just about out of time | 16:58 |
| lbragstad | thanks for the discussion! | 16:58 |
| lbragstad | #endmeeting | 16:58 |
| *** openstack changes topic to "OpenStack Meetings || https://wiki.openstack.org/wiki/Meetings" | 16:58 | |
| openstack | Meeting ended Wed Aug 16 16:58:17 2017 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 16:58 |
| openstack | Minutes: http://eavesdrop.openstack.org/meetings/policy/2017/policy.2017-08-16-16.00.html | 16:58 |
| openstack | Minutes (text): http://eavesdrop.openstack.org/meetings/policy/2017/policy.2017-08-16-16.00.txt | 16:58 |
| openstack | Log: http://eavesdrop.openstack.org/meetings/policy/2017/policy.2017-08-16-16.00.log.html | 16:58 |
| *** blancos has quit IRC | 17:01 | |
| *** diablo_rojo has joined #openstack-meeting-cp | 17:06 | |
| *** gagehugo has left #openstack-meeting-cp | 17:09 | |
| *** yamahata has joined #openstack-meeting-cp | 17:16 | |
| *** MarkBaker has quit IRC | 17:29 | |
| *** nhelgeson has joined #openstack-meeting-cp | 18:01 | |
| *** gouthamr has quit IRC | 20:46 | |
| *** felipemonteiro_ has quit IRC | 20:48 | |
| *** brault has quit IRC | 20:49 | |
| *** diablo_rojo has quit IRC | 20:55 | |
| *** diablo_rojo has joined #openstack-meeting-cp | 20:57 | |
| *** edmondsw has quit IRC | 21:32 | |
| *** felipemonteiro has joined #openstack-meeting-cp | 21:36 | |
| *** felipemonteiro_ has joined #openstack-meeting-cp | 21:54 | |
| *** felipemonteiro has quit IRC | 21:57 | |
| *** iyamahat has joined #openstack-meeting-cp | 22:07 | |
| *** xyang1 has quit IRC | 22:11 | |
| *** felipemonteiro_ has quit IRC | 22:34 | |
| *** edmondsw has joined #openstack-meeting-cp | 22:49 | |
| *** brault has joined #openstack-meeting-cp | 22:49 | |
| *** brault has quit IRC | 22:54 | |
| *** edmondsw has quit IRC | 22:54 | |
| *** notmyname has quit IRC | 23:19 | |
| *** notmyname has joined #openstack-meeting-cp | 23:23 | |
| *** gouthamr has joined #openstack-meeting-cp | 23:27 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!