Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mbedtls: cmake&ninja, threading, clean-up; hiawatha: options, Nix mbedtls #41722

Merged
merged 3 commits into from Jun 28, 2018
Merged

mbedtls: cmake&ninja, threading, clean-up; hiawatha: options, Nix mbedtls #41722

merged 3 commits into from Jun 28, 2018

Conversation

Anton-Latukha
Copy link
Contributor

@Anton-Latukha Anton-Latukha commented Jun 8, 2018
edited

Motivation for this change
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

@Anton-Latukha
Copy link
Contributor Author

Anton-Latukha commented Jun 8, 2018
edited

Let's discuss what to do more.

> cmake -LH
...
// Choose the type of build: None Debug Release Coverage ASan ASanDbg MemSan MemSanDbg Check CheckFull
CMAKE_BUILD_TYPE:STRING=

// Install path prefix, prepended onto install directories.
CMAKE_INSTALL_PREFIX:PATH=/var/empty/local

// Build mbed TLS programs.
ENABLE_PROGRAMS:BOOL=ON

// Build mbed TLS tests.
ENABLE_TESTING:BOOL=ON

// Build mbed TLS with zlib library.
ENABLE_ZLIB_SUPPORT:BOOL=OFF

// Install mbed TLS headers.
INSTALL_MBEDTLS_HEADERS:BOOL=ON

// Explicitly link mbed TLS library to pthread.
LINK_WITH_PTHREAD:BOOL=OFF

// Allow unsafe builds. These builds ARE NOT SECURE.
UNSAFE_BUILD:BOOL=OFF

// Build mbed TLS with the pkcs11-helper library.
USE_PKCS11_HELPER_LIBRARY:BOOL=OFF

// Build mbed TLS shared library.
USE_SHARED_MBEDTLS_LIBRARY:BOOL=OFF

// Build mbed TLS static library.
USE_STATIC_MBEDTLS_LIBRARY:BOOL=ON

To configure CMake for building shared libraries, use:

cmake -DUSE_SHARED_MBEDTLS_LIBRARY=On /path/to/mbedtls_source

There are many different build modes available within the CMake buildsystem. Most of them are available for gcc and clang, though some are compiler-specific:

`Release` - This generates the default code without any unnecessary information in the binary files.
`Debug` - This generates debug information and disables optimization of the code.
`Coverage` - This generates code coverage information in addition to debug information.
`ASan` - This instruments the code with AddressSanitizer to check for memory errors. (This includes LeakSanitizer, with recent version of gcc and clang.) (With recent version of clang, this mode also instruments the code with UndefinedSanitizer to check for undefined behaviour.)
`ASanDbg` - Same as ASan but slower, with debug information and better stack traces.
`MemSan` - This instruments the code with MemorySanitizer to check for uninitialised memory reads. Experimental, needs recent clang on Linux/x86_64.
`MemSanDbg` - Same as MemSan but slower, with debug information, better stack traces and origin tracking.
`Check` - This activates the compiler warnings that depend on optimization and treats all warnings as errors.

@Anton-Latukha
Copy link
Contributor Author

Tests

Mbed TLS includes an elaborate test suite in tests/ that initially requires Perl to generate the tests files (e.g. test_suite_mpi.c). These files are generated from a function file (e.g. suites/test_suite_mpi.function) and a data file (e.g. suites/test_suite_mpi.data). The function file contains the test functions. The data file contains the test cases, specified as parameters that will be passed to the test function.

For machines with a Unix shell and OpenSSL (and optionally GnuTLS) installed, additional test scripts are available:

`tests/ssl-opt.sh` runs integration tests for various TLS options (renegotiation, resumption, etc.) and tests interoperability of these options with other implementations.
`tests/compat.sh` tests interoperability of every ciphersuite with other implementations.
`tests/scripts/test-ref-configs.pl` test builds in various reduced configurations.
`tests/scripts/key-exchanges.pl` test builds in configurations with a single key exchange enabled
`tests/scripts/all.sh` runs a combination of the above tests, plus some more, with various build options (such as ASan, full config.h, etc).

@Anton-Latukha
Copy link
Contributor Author

Both gcc and clang are supported.

@Anton-Latukha
Copy link
Contributor Author

Anton-Latukha commented Jun 8, 2018
edited

https://github.com/ARMmbed/mbedtls/blob/c041435fcf9e1fd55f9e4ea15c6f6e4107a4c97e/include/mbedtls/config.h#L2612-L2629

And all other options are there.

@Anton-Latukha
Copy link
Contributor Author

Configure script keys:
https://github.com/ARMmbed/mbedtls/blob/master/scripts/config.pl

@Anton-Latukha
Copy link
Contributor Author

/tests/scripts/all.sh has many completely destructive scripts, and also relies heavily on automake and everything.

# Warning: the test is destructive. It includes various build modes and
# configurations, and can and will arbitrarily change the current CMake
# configuration. The following files must be committed into git:
#    * include/mbedtls/config.h
#    * Makefile, library/Makefile, programs/Makefile, tests/Makefile
# After running this script, the CMake cache will be lost and CMake
# will no longer be initialised.
#
# The script assumes the presence of a number of tools:
#   * Basic Unix tools (Windows users note: a Unix-style find must be before
#     the Windows find in the PATH)
#   * Perl
#   * GNU Make
#   * CMake
#   * GCC and Clang (recent enough for using ASan with gcc and MemSan with clang, or valgrind)
#   * arm-gcc and mingw-gcc
#   * ArmCC 5 and ArmCC 6, unless invoked with --no-armcc
#   * Yotta build dependencies, unless invoked with --no-yotta
#   * OpenSSL and GnuTLS command line tools, recent enough for the
#     interoperability tests. If they don't support SSLv3 then a legacy
#     version of these tools must be present as well (search for LEGACY
#     below).

@Anton-Latukha
Copy link
Contributor Author

Looks something like this.

CMake build works great on Linux.
I removed hacks related to autotools on macOS.

Please launch macOS build.

@Anton-Latukha
Copy link
Contributor Author

Calling maintainer @fpletz. Hello!

@Anton-Latukha
Copy link
Contributor Author

@jtojnar.
Please, can you say your word on this one.

@jtojnar
Copy link
Contributor

jtojnar commented Jun 9, 2018

@GrahamcOfBorg build mbedtls

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: mbedtls

Partial log (click to expand)

shrinking /nix/store/f74df1im3bjgidd99cpkjbm6am0c30lz-mbedtls-2.10.0/bin/crypt_and_hash
shrinking /nix/store/f74df1im3bjgidd99cpkjbm6am0c30lz-mbedtls-2.10.0/bin/aescrypt2
shrinking /nix/store/f74df1im3bjgidd99cpkjbm6am0c30lz-mbedtls-2.10.0/lib/libmbedcrypto.so.2.10.0
shrinking /nix/store/f74df1im3bjgidd99cpkjbm6am0c30lz-mbedtls-2.10.0/lib/libmbedx509.so.2.10.0
shrinking /nix/store/f74df1im3bjgidd99cpkjbm6am0c30lz-mbedtls-2.10.0/lib/libmbedtls.so.2.10.0
strip is /nix/store/qg2agrqkf240s656d207zqhipl0bc2id-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/f74df1im3bjgidd99cpkjbm6am0c30lz-mbedtls-2.10.0/lib  /nix/store/f74df1im3bjgidd99cpkjbm6am0c30lz-mbedtls-2.10.0/bin
patching script interpreter paths in /nix/store/f74df1im3bjgidd99cpkjbm6am0c30lz-mbedtls-2.10.0
checking for references to /build in /nix/store/f74df1im3bjgidd99cpkjbm6am0c30lz-mbedtls-2.10.0...
/nix/store/f74df1im3bjgidd99cpkjbm6am0c30lz-mbedtls-2.10.0

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: mbedtls

Partial log (click to expand)

shrinking /nix/store/34x4h1y0cdax58vyv3inj1hr6vag5iqk-mbedtls-2.10.0/bin/crl_app
shrinking /nix/store/34x4h1y0cdax58vyv3inj1hr6vag5iqk-mbedtls-2.10.0/bin/rsa_sign
shrinking /nix/store/34x4h1y0cdax58vyv3inj1hr6vag5iqk-mbedtls-2.10.0/bin/dtls_server
shrinking /nix/store/34x4h1y0cdax58vyv3inj1hr6vag5iqk-mbedtls-2.10.0/lib/libmbedcrypto.so.2.10.0
shrinking /nix/store/34x4h1y0cdax58vyv3inj1hr6vag5iqk-mbedtls-2.10.0/lib/libmbedx509.so.2.10.0
shrinking /nix/store/34x4h1y0cdax58vyv3inj1hr6vag5iqk-mbedtls-2.10.0/lib/libmbedtls.so.2.10.0
strip is /nix/store/21ymadblbmsbb2bk4q7gl4kjasp8zmgd-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/34x4h1y0cdax58vyv3inj1hr6vag5iqk-mbedtls-2.10.0/lib  /nix/store/34x4h1y0cdax58vyv3inj1hr6vag5iqk-mbedtls-2.10.0/bin
patching script interpreter paths in /nix/store/34x4h1y0cdax58vyv3inj1hr6vag5iqk-mbedtls-2.10.0
checking for references to /build in /nix/store/34x4h1y0cdax58vyv3inj1hr6vag5iqk-mbedtls-2.10.0...

@GrahamcOfBorg
Copy link

Success on x86_64-darwin (full log)

Attempted: mbedtls

Partial log (click to expand)

-- Installing: /nix/store/csyz7nid4zkf766z9djsxspx4b6cafnd-mbedtls-2.10.0/bin/req_app
-- Installing: /nix/store/csyz7nid4zkf766z9djsxspx4b6cafnd-mbedtls-2.10.0/bin/cert_req
-- Installing: /nix/store/csyz7nid4zkf766z9djsxspx4b6cafnd-mbedtls-2.10.0/bin/cert_write
-- Installing: /nix/store/csyz7nid4zkf766z9djsxspx4b6cafnd-mbedtls-2.10.0/bin/strerror
-- Installing: /nix/store/csyz7nid4zkf766z9djsxspx4b6cafnd-mbedtls-2.10.0/bin/pem2der
post-installation fixup
strip is /nix/store/yyak5sjv68n9vdgnkd2cb5djk1l9sqj5-cctools-binutils-darwin/bin/strip
stripping (with command strip and flags -S) in /nix/store/csyz7nid4zkf766z9djsxspx4b6cafnd-mbedtls-2.10.0/lib  /nix/store/csyz7nid4zkf766z9djsxspx4b6cafnd-mbedtls-2.10.0/bin
patching script interpreter paths in /nix/store/csyz7nid4zkf766z9djsxspx4b6cafnd-mbedtls-2.10.0
/nix/store/csyz7nid4zkf766z9djsxspx4b6cafnd-mbedtls-2.10.0

jtojnar
jtojnar reviewed Jun 9, 2018
View reviewed changes
pkgs/servers/http/hiawatha/default.nix Outdated
@@ -7,7 +7,7 @@
, libxslt
, libxml2

, enableSSL ? true
, enableSystemTls ? true, mbedtls ? null
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should always use system TLS, if we build with TLS support.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

System-wide thread-able dynamic library - makes it a less secure variant to bundled library.
Through threading process in some cases some information can be shared, or gathered.
https://tls.mbed.org/kb/development/thread-safety-and-multi-threading

That is why I made this switch. For truly paranoid people to crank-up the security more.

Sigh. Of course, everything always has some security explanation.

P.S.

As this is secure server - I enabled TLS by default.
Case when TLS would not be needed, but secure server needed - is possible, but probably not a spread case.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can imagine encryption to be disabled on embedded devices or local server in protected network.

Using bundled libraries is inherently less secure than using the system one. Nixpkgs maintainers can apply security fixes and update the library globally, long before hiawatha or other consumer updates. As for the link, I think it refers to memory safety (as usual with shared memory and concurrency), different applications would use different memory ranges.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. I also understood words as they are about parallel threads in one application can indirectly disclose some information to one another.

I would change comment notes.

As they are elementary, I implemented all Hiawatha build switches at this point. That looks like not too superfluous.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this is the case, it really would not matter when system library is used. The threads will use the same library in either case.

pkgs/development/libraries/mbedtls/default.nix
];

postInstall = stdenv.lib.optionalString stdenv.isDarwin ''
install_name_tool -change libmbedcrypto.dylib $out/lib/libmbedcrypto.dylib $out/lib/libmbedtls.dylib
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Possibly ask the author of these lines.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Mic92 Good day!

Long story short.
I migrate mbed TLS to officially supported CMake.

Mostly Linux and Mac builds seems to be clean.

Please say your toughs on these changes that undo also positInstalls from commit.

I can not find way to text macOS, or get a bundle of builded by bot /nix/store/csyz7nid4zkf766z9djsxspx4b6cafnd-mbedtls-2.10.0 to investigate.

So, please say your thoughts on these changes.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the fixes are there primarily for the consumers of the library

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did not add these lines.
Are those required? @mnacamura

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My addition was the DLEXT=dylib part only. If extension is .so, some programs cannot find library on darwin. So I added it.

The contents of postInstall was I think added in #20940.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But the build by cmake seems to do it correctly without these lines.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Summary: We decided that this clean-up of code is legitimate, so it stays.

@Anton-Latukha Anton-Latukha changed the title [WIP] mbedtls: build with cmake&ninja [WIP] mbedtls: cmake&ninja build, clean-up; hiawatha: add options, use Nix mbedtls Jun 10, 2018
@Anton-Latukha Anton-Latukha changed the title [WIP] mbedtls: cmake&ninja build, clean-up; hiawatha: add options, use Nix mbedtls [WIP] mbedtls: cmake&ninja, threading, clean-up; hiawatha: options, Nix mbedtls Jun 10, 2018
@Anton-Latukha Anton-Latukha changed the title [WIP] mbedtls: cmake&ninja, threading, clean-up; hiawatha: options, Nix mbedtls mbedtls: cmake&ninja, threading, clean-up; hiawatha: options, Nix mbedtls Jun 10, 2018
jtojnar
jtojnar requested changes Jun 19, 2018
View reviewed changes
pkgs/servers/http/hiawatha/default.nix Outdated
( if enableCache then "-DENABLE_CACHE=on" else "-DENABLE_CACHE=off" )
( if enableIpV6 then "-DENABLE_IPV6=on" else "-DENABLE_IPV6=off" )
( if enableTls then "-DENABLE_TLS=on" else "-DENABLE_TLS=off" )
( if enableSystemTls then "-DUSE_SYSTEM_MBEDTLS=on" else "-DUSE_SYSTEM_MBEDTLS=off" )
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding it again because it was collapsed by GitHub, we should always build with system libraries.

@Mic92
Copy link
Member

Mic92 commented Jun 28, 2018

@GrahamcOfBorg build mbedtls

@GrahamcOfBorg
Copy link

Failure on x86_64-linux (full log)

Partial log (click to expand)

Merge failed

@Mic92
Copy link
Member

Mic92 commented Jun 28, 2018

@GrahamcOfBorg build hiawatha

@GrahamcOfBorg
Copy link

Failure on x86_64-linux (full log)

Partial log (click to expand)

Merge failed

@GrahamcOfBorg
Copy link

Failure on x86_64-darwin (full log)

Partial log (click to expand)

Merge failed

@GrahamcOfBorg
Copy link

Failure on x86_64-darwin (full log)

Partial log (click to expand)

Merge failed

@GrahamcOfBorg
Copy link

Failure on aarch64-linux (full log)

Partial log (click to expand)

Merge failed

@GrahamcOfBorg
Copy link

Failure on aarch64-linux (full log)

Partial log (click to expand)

Merge failed

@Anton-Latukha Anton-Latukha force-pushed the mbedtls branch 2 times, most recently from f23a7a2 to f241a5f Compare June 28, 2018 10:19
@Anton-Latukha
Copy link
Contributor Author

@Mic92
Synced with upstream. Please run bot gain.

@Mic92
Copy link
Member

Mic92 commented Jun 28, 2018

@GrahamcOfBorg build hiawatha

@Mic92
Copy link
Member

Mic92 commented Jun 28, 2018

@Anton-Latukha you can also ask for ofborg access here: NixOS/ofborg#173

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: hiawatha

Partial log (click to expand)

shrinking /nix/store/7d8my7pmgqx8dqjxsxp5nnzfccakpib6-hiawatha-10.8.1/sbin/cgi-wrapper
shrinking /nix/store/7d8my7pmgqx8dqjxsxp5nnzfccakpib6-hiawatha-10.8.1/sbin/wigwam
shrinking /nix/store/7d8my7pmgqx8dqjxsxp5nnzfccakpib6-hiawatha-10.8.1/sbin/hiawatha
gzipping man pages under /nix/store/7d8my7pmgqx8dqjxsxp5nnzfccakpib6-hiawatha-10.8.1/share/man/
strip is /nix/store/0pjsgkxz0rp5baycq5sp2s72lrr5q9sg-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/7d8my7pmgqx8dqjxsxp5nnzfccakpib6-hiawatha-10.8.1/bin  /nix/store/7d8my7pmgqx8dqjxsxp5nnzfccakpib6-hiawatha-10.8.1/sbin
patching script interpreter paths in /nix/store/7d8my7pmgqx8dqjxsxp5nnzfccakpib6-hiawatha-10.8.1
checking for references to /build in /nix/store/7d8my7pmgqx8dqjxsxp5nnzfccakpib6-hiawatha-10.8.1...
moving /nix/store/7d8my7pmgqx8dqjxsxp5nnzfccakpib6-hiawatha-10.8.1/sbin/* to /nix/store/7d8my7pmgqx8dqjxsxp5nnzfccakpib6-hiawatha-10.8.1/bin
/nix/store/7d8my7pmgqx8dqjxsxp5nnzfccakpib6-hiawatha-10.8.1

@GrahamcOfBorg
Copy link

Success on x86_64-darwin (full log)

Attempted: hiawatha

Partial log (click to expand)

-- Installing: /nix/store/sxvapa8vysai6gakq74zfr1x7y1layb7-hiawatha-10.8.1/var/log/hiawatha
-- Installing: /nix/store/sxvapa8vysai6gakq74zfr1x7y1layb7-hiawatha-10.8.1/var/run
-- Installing: /nix/store/sxvapa8vysai6gakq74zfr1x7y1layb7-hiawatha-10.8.1/var/lib/hiawatha
post-installation fixup
gzipping man pages under /nix/store/sxvapa8vysai6gakq74zfr1x7y1layb7-hiawatha-10.8.1/share/man/
strip is /nix/store/7ddbq63v97nk8gkbf7gcsfmby37h6gbl-cctools-binutils-darwin/bin/strip
stripping (with command strip and flags -S) in /nix/store/sxvapa8vysai6gakq74zfr1x7y1layb7-hiawatha-10.8.1/bin  /nix/store/sxvapa8vysai6gakq74zfr1x7y1layb7-hiawatha-10.8.1/sbin
patching script interpreter paths in /nix/store/sxvapa8vysai6gakq74zfr1x7y1layb7-hiawatha-10.8.1
moving /nix/store/sxvapa8vysai6gakq74zfr1x7y1layb7-hiawatha-10.8.1/sbin/* to /nix/store/sxvapa8vysai6gakq74zfr1x7y1layb7-hiawatha-10.8.1/bin
/nix/store/sxvapa8vysai6gakq74zfr1x7y1layb7-hiawatha-10.8.1

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: hiawatha

Partial log (click to expand)

shrinking /nix/store/0dvfknysdyam8jyvwfxh335g9fg22n64-hiawatha-10.8.1/sbin/wigwam
shrinking /nix/store/0dvfknysdyam8jyvwfxh335g9fg22n64-hiawatha-10.8.1/sbin/cgi-wrapper
shrinking /nix/store/0dvfknysdyam8jyvwfxh335g9fg22n64-hiawatha-10.8.1/bin/ssi-cgi
gzipping man pages under /nix/store/0dvfknysdyam8jyvwfxh335g9fg22n64-hiawatha-10.8.1/share/man/
strip is /nix/store/4qvrxzxa535y8304mk195x50b6p9607d-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/0dvfknysdyam8jyvwfxh335g9fg22n64-hiawatha-10.8.1/bin  /nix/store/0dvfknysdyam8jyvwfxh335g9fg22n64-hiawatha-10.8.1/sbin
patching script interpreter paths in /nix/store/0dvfknysdyam8jyvwfxh335g9fg22n64-hiawatha-10.8.1
checking for references to /build in /nix/store/0dvfknysdyam8jyvwfxh335g9fg22n64-hiawatha-10.8.1...
moving /nix/store/0dvfknysdyam8jyvwfxh335g9fg22n64-hiawatha-10.8.1/sbin/* to /nix/store/0dvfknysdyam8jyvwfxh335g9fg22n64-hiawatha-10.8.1/bin
/nix/store/0dvfknysdyam8jyvwfxh335g9fg22n64-hiawatha-10.8.1

@Mic92 Mic92 merged commit c876db6 into NixOS:master Jun 28, 2018
gavinrogers pushed a commit to gavinrogers/nixpkgs that referenced this pull request Jun 28, 2018
@Anton-Latukha
mbedtls: cmake&ninja, threading, clean-up; hiawatha: options, Nix mbe…
ea7284c 
…dtls (NixOS#41722)

* mbedtls: build with cmake&ninja, clean-up

* mbedtls: cmake ninja Darwin build clean-up

* hiawatha: add build options, use system mbedTLS, platforms -> unix
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mnacamura mnacamura mnacamura left review comments

@Mic92 Mic92 Mic92 left review comments

@jtojnar jtojnar jtojnar requested changes

Assignees
No one assigned
Labels
2.status: work-in-progress 8.has: package (new) 10.rebuild-darwin: 11-100 10.rebuild-linux: 11-100
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@Anton-Latukha @jtojnar @GrahamcOfBorg @Mic92 @mnacamura