Monday, 2016-08-01

*** markvoelker has joined #openstack-security		00:12
*** sdake has joined #openstack-security		00:13
*** markvoelker has quit IRC		00:17
*** sdake has quit IRC		00:17
*** austin987 has quit IRC		00:36
*** austin987 has joined #openstack-security		00:40
*** austin987 has quit IRC		00:47
*** austin987 has joined #openstack-security		00:47
*** austin987 has quit IRC		00:59
*** markvoelker has joined #openstack-security		01:13
*** markvoelker has quit IRC		01:17
*** austin987 has joined #openstack-security		01:27
*** davidjd-gh has joined #openstack-security		01:37
*** davidjd-gh has left #openstack-security		01:37
openstackgerrit	Rahul U Nair proposed openstack/bandit: Fixing jenkins failing on coverage reporting https://review.openstack.org/349329	02:55
unrahul	gmurphy: I have pushed a change for the bandit failing on tox	02:56
unrahul	for Syntribos we had a similar issue and it was fixed by doing these changes.	02:57
*** davidjd-gh has joined #openstack-security		02:57
*** davidjd-gh has left #openstack-security		02:57
unrahul	gmurphy: I am not getting any coverage failed errors locally, let's see what the bandit cores think.	02:57
*** Nikolay_St has joined #openstack-security		03:04
*** yuanying has quit IRC		03:08
*** amitkqed has quit IRC		03:38
*** amitkqed has joined #openstack-security		03:38
gmurphy	thanks!	03:38
*** tmcpeak has joined #openstack-security		03:59
openstackgerrit	Grant Murphy proposed openstack/bandit: Add check for httpoxy vulnerability https://review.openstack.org/349015	04:50
*** tmcpeak has quit IRC		05:02
*** Nikolay_St has quit IRC		05:23
*** austin987 has quit IRC		06:03
*** Nikolay_St has joined #openstack-security		06:19
*** tkelsey has joined #openstack-security		06:29
openstackgerrit	Rahul U Nair proposed openstack/syntribos: Adding unique_id to tests https://review.openstack.org/345286	06:31
*** tkelsey has quit IRC		06:33
*** Cormite has joined #openstack-security		06:34
*** austin987 has joined #openstack-security		06:36
*** tesseract- has joined #openstack-security		06:44
*** austin987 has quit IRC		06:48
openstackgerrit	Rahul U Nair proposed openstack/syntribos: Adding additional fields to debug log https://review.openstack.org/347089	06:51
*** Cormite has quit IRC		07:14
*** liverpooler has joined #openstack-security		07:22
openstackgerrit	Rahul U Nair proposed openstack/syntribos: Updating documentation https://review.openstack.org/349388	07:34
*** Cormite has joined #openstack-security		07:53
*** yuanying has joined #openstack-security		08:08
*** tkelsey has joined #openstack-security		08:20
openstackgerrit	Rahul U Nair proposed openstack/syntribos: Standardizing the way we diff signals https://review.openstack.org/349403	08:24
*** tkelsey has quit IRC		08:33
openstackgerrit	OpenStack Proposal Bot proposed openstack/security-doc: Updated from openstack-manuals https://review.openstack.org/349426	09:04
*** eric_lopez has joined #openstack-security		09:13
*** elo has quit IRC		09:16
*** hyakuhei has joined #openstack-security		09:33
*** hyakuhei has left #openstack-security		09:37
openstackgerrit	Merged openstack/security-doc: Updated from openstack-manuals https://review.openstack.org/349426	10:20
*** hyakuhei has joined #openstack-security		10:27
*** edmondsw has joined #openstack-security		11:40
*** shohel has joined #openstack-security		11:51
sigmavirus	gmurphy: So I was talking to Twisted and they're going to fix that. I dont' know anyone around wsgiref	11:59
*** sdake_ has joined #openstack-security		12:02
openstackgerrit	Merged openstack/security-doc: Update links from Liberty to Mitaka https://review.openstack.org/345696	12:09
*** davidjd-gh has joined #openstack-security		12:24
*** davidjd-gh has left #openstack-security		12:24
*** markvoelker has joined #openstack-security		12:27
gmurphy	sigmavirus: yeah this was mostly my question the other day. should this kind of rule be limited to specific version ranges? i'm not sure if any of the other rules (for example the xml ones) have been addressed now either.	12:37
gmurphy	so i can see value in having this rule right now. specifically for understanding if their's exposure to this vulnerability in your codebase. but as the vulnerability is patched it will become a false positive eventually.	12:38
sigmavirus	gmurphy: right	12:40
sigmavirus	I think yes?	12:40
gmurphy	ok. i'm gonna have to think about how to do that then. i was hoping to sneak this one in under the blacklisting stuff… might not be able to do that now :-)	12:44
*** sdake_ is now known as sdake		12:48
*** Nikolay_St has quit IRC		12:50
gmurphy	i guess i could check twisted.version, and maybe sys.version for wsgiref	12:52
*** _elmiko is now known as elmiko		13:01
*** dikonoor has joined #openstack-security		13:06
*** cleong has joined #openstack-security		13:10
*** Nikolay_St has joined #openstack-security		13:14
*** JAHoagie has joined #openstack-security		13:15
*** dave-mcc_ has quit IRC		13:19
*** dave-mccowan has joined #openstack-security		13:19
*** dave-mccowan has quit IRC		13:19
*** Nikolay_St has quit IRC		13:25
openstackgerrit	Merged openstack/bandit: Fixing jenkins failing on coverage reporting https://review.openstack.org/349329	13:28
openstackgerrit	Merged openstack/bandit: Add check for httpoxy vulnerability https://review.openstack.org/349015	13:28
*** zul_ has quit IRC		13:38
*** ametts has joined #openstack-security		13:41
*** Nikolay_St has joined #openstack-security		13:42
*** zul has joined #openstack-security		13:43
*** liverpooler has quit IRC		13:43
*** dave-mccowan has joined #openstack-security		13:46
*** ametts has quit IRC		13:51
*** ametts has joined #openstack-security		14:00
*** unrahul has quit IRC		14:04
*** amit213 has quit IRC		14:04
*** fyxim has quit IRC		14:04
*** aimeeu has quit IRC		14:04
*** tpeoples has quit IRC		14:04
*** DuncanT has quit IRC		14:04
*** jraim has quit IRC		14:04
*** serverascode has quit IRC		14:04
*** fyxim has joined #openstack-security		14:07
*** shohel has quit IRC		14:15
*** dave-mccowan has quit IRC		14:16
*** alejandro2 has joined #openstack-security		14:16
*** alejandro2 has left #openstack-security		14:16
*** dave-mccowan has joined #openstack-security		14:17
*** aimeeu has joined #openstack-security		14:17
*** austin987 has joined #openstack-security		14:17
*** JAHoagie has quit IRC		14:17
*** DuncanT has joined #openstack-security		14:18
*** tpeoples has joined #openstack-security		14:18
*** amit213 has joined #openstack-security		14:19
*** jraim has joined #openstack-security		14:19
*** serverascode has joined #openstack-security		14:19
*** unrahul has joined #openstack-security		14:19
*** tmcpeak has joined #openstack-security		14:20
*** aastha has joined #openstack-security		14:25
*** austin987 has quit IRC		14:27
*** eric_lopez has quit IRC		14:41
*** eric_lopez has joined #openstack-security		14:49
*** dikonoor has quit IRC		14:52
*** dave-mccowan has quit IRC		15:09
*** dave-mccowan has joined #openstack-security		15:13
*** dave-mccowan has quit IRC		15:16
*** mdong has joined #openstack-security		15:33
*** sdake has quit IRC		15:34
*** dave-mccowan has joined #openstack-security		15:43
*** Cormite has quit IRC		15:43
openstackgerrit	Michael Dong proposed openstack/syntribos: CORS test now operates on test_resp instead of init_resp https://review.openstack.org/349578	15:53
openstackgerrit	Merged openstack/syntribos: Improving parser, adding unit tests https://review.openstack.org/348031	15:58
*** Guest15832 is now known as redrobot		16:04
*** ccneill has joined #openstack-security		16:07
*** markvoelker has quit IRC		16:09
*** tesseract- has quit IRC		16:14
*** vinaypotluri has joined #openstack-security		16:29
*** tesseract- has joined #openstack-security		16:46
*** tesseract- has quit IRC		16:54
*** tesseract- has joined #openstack-security		16:58
*** tesseract- has quit IRC		16:58
*** sdake has joined #openstack-security		17:02
*** markvoelker has joined #openstack-security		17:05
*** sdake has quit IRC		17:17
vinaypotluri	ccneill: i've assigned a task from trello "SECTEST-SYN Update documentation" where i have to figure out a way to add our documentation. Should it be something like a complete syntribos documentation or anything specific ?	17:24
vinaypotluri	ex: http://docs.openstack.org/developer/nova/	17:24
ccneill	the point is to publish the docs that we have in our "doc" folder to the OpenStack site	17:27
ccneill	I'm not sure how to kick off that process, or where that documentation would live	17:27
ccneill	but I don't think we should be working on that yet - hence why I put the docs stuff in "Backlog" instead of "Doing"	17:28
ccneill	we need to finish up the "doing" stuff first	17:28
vinaypotluri	okay	17:28
ccneill	e.g. https://trello.com/c/Q2uhE3kI/114-sectest-syn-finish-revamping-cli-config	17:28
ccneill	since that will ultimately change what we need to put in the docs	17:29
vinaypotluri	cool	17:30
vinaypotluri	i'll work on "Doing" for now	17:30
ccneill	cool cool	17:30
ccneill	if there are any tasks that are assigned but don't have associated CRs, see if the asigned person is working on them, and if not you can re-assign those tasks to yourself	17:30
vinaypotluri	okay	17:34
*** mhayden has quit IRC		17:38
*** mhayden has joined #openstack-security		17:40
*** markvoelker_ has joined #openstack-security		17:53
*** markvoelker has quit IRC		17:53
unrahul	Hey ccneill I was thinking on how we should streamline template file naming/reading to avoid parsing issues and stuff..	18:16
unrahul	what if we add a line on top of the template file, that the tool has to check and gets metadata from it.. rather than following a particular way of naming files..?	18:17
*** markvoelker_ has quit IRC		18:38
*** markvoelker has joined #openstack-security		18:39
*** markvoelker has quit IRC		18:39
*** Nikolay_St has quit IRC		18:40
*** ccneill has quit IRC		18:45
*** eric_lopez has quit IRC		18:52
*** eric_lopez has joined #openstack-security		19:01
*** ccneill has joined #openstack-security		19:10
*** ccneill has quit IRC		19:14
*** ccneill has joined #openstack-security		19:15
ccneill	unrahul: that might be a good approach	19:17
ccneill	unrahul: that gives us a lot more flexibility than trying to build it directly into the filename	19:17
*** sdake has joined #openstack-security		19:18
*** ametts has quit IRC		19:30
*** ametts has joined #openstack-security		19:36
unrahul	yeah..I also feel so.. and that in a way leaves less room for users to make mistakes when they add/extend set of templates in syntribos.. where the file name is not of concern.. but a header should be there.. that says what it is..	19:39
ccneill	yeah.. I think a YAML metadata section would be handy-dandy	19:41
unrahul	+1 at the minimum an encoding type header like # -- coding: utf-8 -- , so like -- method :get --	19:45
mdong	so my question is, what does that method metadata line in a request template get us that the request itself doesn’t already?	19:47
mdong	considering that the first word in a request template is the http method	19:48
openstackgerrit	Merged openstack/syntribos: CORS test now operates on test_resp instead of init_resp https://review.openstack.org/349578	19:48
ccneill	so I was thinking of it in terms of relationships to other request templates	19:54
ccneill	e.g. associating all the methods for CRUDing a given resource together	19:54
ccneill	you could also define what types of data the variables defined in the template accept	19:55
*** ametts has quit IRC		19:55
ccneill	without having to make the template itself unreadable with a bunch of information jammed into every line (like the way we do CALL_EXTERNAL today)	19:55
*** knangia has joined #openstack-security		19:56
mdong	re: CRUDing a given resource, that’ll only come up when we do request pipelining, and we can come up with a solution for pipelining that does not entail marking up our request templates any further	19:57
mdong	I think whatever metadata markup we add should be optional, because right now, request template generation without extensions is the least involved part of the Syntribos workflow	19:58
ccneill	agreed, not every request needs markup	19:59
mdong	it should be a selling point that Syntribos can just be pointed at a raw HTTP request file and work to some reasonable degree	19:59
*** ametts has joined #openstack-security		20:00
unrahul	well.. I think at lease there should be some way to ensure that the file that syntribos is processing is a request template, before reading the entire file and ccneill yup.. it can help us in organizing the templates in a CRUD way, where it can be optional..	20:01
unrahul	at least*	20:01
ccneill	mdong: agreed that it should be possible to just use the raw HTTP request	20:02
*** khanak has joined #openstack-security		20:02
unrahul	because ryt now its kind of open ended, the tool would try reading any file in the templates directory, what if its a huge binary file..or something, which really can be avoided in some other way.	20:02
ccneill	right.. so to an extent I think we want to use SOME file naming convention, even if that naming convention doesn't determine anything else about the file beyond "this is a request template"	20:03
ccneill	maybe only loading files with a .template extension? .txt?	20:04
mdong	but we could solve that problem with documentation as well, or just by passing a message to the user that the file currently being read is unparsable	20:04
mdong	because I think the real problem right now is that Syntribos just crashes when it gets an unparsable file, but there are ways of handling that gracefully	20:05
ccneill	mdong: what if I have 5 request templates open in VIM, and it creates .swp files for all of them in that dir? should we re-parse all of them and run tests against them, even though they should be the same as the 5 actual request templates?	20:05
ccneill	there's nothing invalid about it, it's just wasted effort	20:05
mdong	I like the .template idea	20:05
ccneill	doesn't really significantly change anything about how the templates work - just makes it clear that "THIS IS A TEMPLATE FILE"	20:06
ccneill	that way you can put a README.md in your templates folder if you want, to explain the templates included, etc.	20:06
mdong	we could also just, by default, ignore .swp, __MACOSX files, etc	20:06
unrahul	mdong: okay, will this ever occur, syntribos is running in a ci env, tries to parse a huge file, takes up a lot of resources and slows down the entire ci job..? because as of now.. that can happen ryt..?	20:06
ccneill	¯\_(ツ)_/¯ that gets to be an endless game though	20:06
unrahul	mdong: whitelisting is always better than blacklisting..	20:06
unrahul	i like the idea of .templates..	20:06
unrahul	bandit also have something like that..ryt?	20:07
mdong	well, how does Bandit handle the case of files it can’t read?	20:07
mdong	because for bandit, we just point it at a directory	20:07
unrahul	i am not sure.. but remember seeing.. a directory of files with some extension..	20:08
mdong	and invarably the directory will contain readmes and swap files	20:08
mdong	yet in the end it still only operates on the .py files	20:08
unrahul	we could whitelist .templates files..	20:08
unrahul	like all templates should be files with .templates extension..	20:09
ccneill	mdong: my main thing is this - it takes almost no effort to give a file a given extension, but it takes a fair amount of effort for us to try to engineer around every OTHER kind of file that might exist there	20:09
ccneill	only parsing .template files means that, if we get an invalid template, we got it because the user wrote a bad template file - not any other possible combination of weirdness	20:10
unrahul	i guess.. that can be a quick fix to some of the issues..	20:10
ccneill	a 50000MB .template file isn't randomly going to show up in that dir	20:10
ccneill	and a .DS_Store.template file isn't either	20:10
ccneill	vim will create derp.template.swp files	20:11
mdong	I like the .template idea, I just don’t want us to overengineer a solution to an edge case	20:11
ccneill	and users can put arbitrary READMEs, etc. in that folder as long as they don't name it ".template", which no other program uses	20:11
ccneill	well.. maybe some program uses it, but it's not common	20:11
unrahul	mdong, ccneill +1 agreed I also like the idea	20:11
ccneill	right, me neither - we parse ANYTHING that is a .template and attempt to treat it as a template	20:12
ccneill	we don't do any crazy magic() to determine the content type, filesize to figure out if it's a "reasonable" size, etc.	20:12
mdong	that sounds reasonable to me, but I’ll do a bit of research to see what bandit does when it encounters readme files and such	20:13
mdong	I suspect that it’s just looking at the file extension as well	20:13
ccneill	mdong: looks like it	20:15
ccneill	https://github.com/openstack/bandit/blob/master/tests/unit/cli/test_baseline.py#L29	20:15
mdong	yep	20:15
mdong	https://github.com/openstack/bandit/blob/master/bandit/core/manager.py#L164	20:15
ccneill	(didn't dig too far)	20:15
ccneill	ah yep	20:16
ccneill	should be a simple call to glob()	20:16
ccneill	brb cig	20:16
*** ametts has quit IRC		20:36
*** ametts has joined #openstack-security		20:38
*** JAHoagie has joined #openstack-security		20:38
*** knangia has quit IRC		20:48
*** sdake has quit IRC		21:20
openstackgerrit	Aastha Dixit proposed openstack/syntribos: Adding additional fields to debug log https://review.openstack.org/347089	21:22
*** khanak is now known as knangia		21:26
*** cleong has quit IRC		21:34
openstackgerrit	Aastha Dixit proposed openstack/syntribos: Adding additional fields to debug log https://review.openstack.org/347089	21:44
openstackgerrit	Charles Neill proposed openstack/syntribos: Removes FuzzRequest from Syntribos https://review.openstack.org/347116	21:48
*** jamielennox\|away is now known as jamielennox		21:48
ccneill	oof.. gonna try not to add anything else to my remove_fuzzrequest CR O:-)	21:49
ccneill	+571/-242 :X	21:49
ccneill	unrahul: added unittests for models, coverage says I got 100% coverage	21:49
ccneill	:D	21:49
ccneill	brb	21:49
*** ametts has quit IRC		21:56
openstackgerrit	Michael Dong proposed openstack/syntribos: Fixed string check KeyError https://review.openstack.org/349723	22:12
*** sdake has joined #openstack-security		22:13
unrahul	:D whoa!	22:13
unrahul	ccneill: yup saw that patch i was like.. i bet it was 100 lines less a minute ago..	22:14
ccneill	<_<	22:24
ccneill	added a bunch of unit tests	22:24
ccneill	lol	22:24
ccneill	also needed to make some changes to the RequestHelperMixin to handle URLs properly	22:25
unrahul	yup!, those unittests are one of the most complete ones we have.. I guess we would cross 58% overall with it..	22:26
ccneill	yeah.. we can probably do without 100% coverage, but I want us to get to at least 80-90%	22:29
ccneill	some day	22:29
unrahul	some day :D	22:30
ccneill	yeah..	22:30
ccneill	little by little	22:30
ccneill	we've gone from 8% to 58% pretty quickly :)	22:30
openstackgerrit	Michael Dong proposed openstack/syntribos: Fixed string check KeyError https://review.openstack.org/349723	22:33
ccneill	mdong: good catch! can't believe we missed that :(	22:36
mdong	yeah… added a unittest this time	22:37
ccneill	awesome	22:37
*** davidjd-gh has joined #openstack-security		22:37
*** davidjd-gh has left #openstack-security		22:38
unrahul	another ++ to overall coverage	22:38
ccneill	unrahul, mdong: realized we haven't been naming unit test files for checks consistently	22:42
ccneill	didn't think this was the CR to try and fix it in though	22:43
ccneill	but we have one ("test_http_checks.py) that makes it explicit, and the rest don't	22:43
ccneill	¯\_(ツ)_/¯	22:43
ccneill	maybe we make a tests/unit/checks folder at some point.. it doesn't matter much, just slightly more intuitive if you're looking for those particular tests	22:44
mdong	yeah, I noticed that. I think I prefer to have it explicit just because we have, for example, checks/ssl.py and tests/transport_layer/ssl.py	22:44
ccneill	right	22:45
mdong	we can probably revisit this when we do unittests for the tests themselves	22:45
unrahul	yup.. we need to do something like that, things are confusing as it is.. no need for unit tests to add to that	22:45
ccneill	renaming means we don't have to make a "tests/unit/tests" folder lol	22:45
openstackgerrit	Rahul U Nair proposed openstack/syntribos: Fixed bug RequestObject has no attribute `fuzz_request` https://review.openstack.org/349731	22:47
unrahul	ccneill: mdong syntribos was breaking for me.. because http parser was returning a new RequestObject each time (i guess),	22:48
unrahul	not sure if you guys noticed..	22:48
unrahul	could you guys check the CR i just posted..?	22:49
ccneill	unrahul: hmm, we should never call request.fuzz_request() though	22:54
ccneill	and there are no other "request_model_type"s	22:54
ccneill	there's only RequestObject	22:54
ccneill	maybe an outdated version of syntribos? I don't see any issues	22:54
ccneill	try a "pip uninstall syntribos && pip install --upgrade -e ."	22:55
ccneill	grep -r '\.fuzz_request' */.py	22:55
ccneill	syntribos/tests/fuzz/base_fuzz.py: fr = syntribos.tests.fuzz.datagen.fuzz_request(	22:56
ccneill	syntribos/tests/fuzz/xml_external.py: fr = syntribos.tests.fuzz.datagen.fuzz_request(	22:56
ccneill	tests/unit/test_datagen.py: d for d in fuzz_datagen.fuzz_request(req, strings, "url", "ut")	22:56
ccneill	tests/unit/test_datagen.py: d for d in fuzz_datagen.fuzz_request(req, strings, "data", "ut")	22:56
ccneill	tests/unit/test_datagen.py: fuzz_datagen.fuzz_request(req, strings, "params", "ut"), 1):	22:56
ccneill	make sure you pull too, since that parser change landed a little while ago	22:56
ccneill	argh, looks like Jenkins is overloaded again..	22:59
unrahul	did that.. still having the same issue, AttributeError: 'RequestObject' object has no attribute 'fuzz_request'	23:00
unrahul	:/	23:00
ccneill	weird.. what file/line?	23:00
unrahul	syntribos/syntribos/tests/fuzz/base_fuzz.py", line 121, in get_test_cases	23:00
unrahul	fr = xls.init_req.fuzz_request(	23:01
unrahul	cls*	23:01
ccneill	uhhhh	23:01
ccneill	hmmm...	23:01
ccneill	v_v	23:01
*** sdake has quit IRC		23:01
ccneill	strange...	23:01
ccneill	OH	23:01
unrahul	https://github.com/openstack/syntribos/blob/master/syntribos/tests/fuzz/base_fuzz.py#L121	23:02
ccneill	https://review.openstack.org/#/c/347116/7/syntribos/tests/fuzz/base_fuzz.py	23:02
ccneill	it's part of that giant CR :X	23:02
ccneill	I should've made the parser change dependent on the fuzzrequest change	23:02
unrahul	:D	23:02
* ccneill 's bad		23:02
unrahul	so ryt.. now.. the master it breaking ..	23:02
ccneill	argh :(	23:03
unrahul	phew.. that was a weird side effect	23:03
ccneill	I haven't seen it failing yet..	23:03
unrahul	For us it is breaking.. :/	23:03
ccneill	but it should fail	23:03
ccneill	right	23:03
ccneill	just not sure why I haven't seen it yet o_O	23:03
*** sdake has joined #openstack-security		23:03
unrahul	could you download the master and see if it is breaking.. ??	23:04
unrahul	yeah it should ryt..	23:04
ccneill	I mean.. it should, I think.. but I'm getting 0 errors O_o	23:04
ccneill	hmm	23:04
unrahul	whoa..	23:05
ccneill	doing an uninstall/reinstall..	23:05
ccneill	AH!	23:05
ccneill	there we go	23:05
ccneill	lol	23:05
unrahul	hehe	23:06
unrahul	:D	23:06
unrahul	should we merge the patch i had uploaded for now, as master is breaking?	23:06
ccneill	ok, well.. I guess we should merge this to un-break master, and then when we get the bigger CR merged, it will revise it	23:06
unrahul	yup..	23:06
unrahul	thanks ccneill	23:07
unrahul	was driving me crazy	23:07
ccneill	unrahul: np, +2'd	23:07
ccneill	hopefully Jenkins calms down a little now that it's the end of the work day...	23:08
unrahul	yeah,,	23:08
ccneill	and we get a +V soon	23:08
*** elmiko is now known as _elmiko		23:09
ccneill	gonna head out, gotta go buy a new power cord for my personal laptop.. see y'all tomorrow o/	23:10
unrahul	yup c u ccneill !	23:11
openstackgerrit	Aastha Dixit proposed openstack/syntribos: Adding additional fields to debug log https://review.openstack.org/347089	23:21
*** davidjd-gh has joined #openstack-security		23:29
*** davidjd-gh has left #openstack-security		23:29
*** sdake has quit IRC		23:31
*** edmondsw has quit IRC		23:40
*** sdake has joined #openstack-security		23:40
*** mdong has quit IRC		23:46
*** ccneill has quit IRC		23:46

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!