[OpenAFS] Authentication without aklog

Markus Koeberl spsc-sysadmin@mlist.tugraz.at
Fri, 1 Aug 2014 11:56:34 +0200


--Boundary-01=_SR22Tx03E4rcjlb
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

On Thursday 31 July 2014 22:29:47 Andrew Deason wrote:
> Hi all,
> 
> I've had a few users and administrators complain to me from time to time
> about the existence of 'aklog'. (By 'aklog' I really mean any mechanism
> to convert krb5 tickets to AFS tokens, but I'm referring to them all as
> 'aklog' for simplicity.) The need for an AFS-specific authentication
> step is an annoyance for some, and for some others, prohibits the use of
> AFS in some applications.
>
> The first time I heard this I was a bit surprised, but that may be just
> because I'm very used to the 'aklog' approach and find it intuitive. You
> need to tell the kernel what credentials you want it to use for AFS
> access; makes sense to me.

After years of working with AFS it gets normal to use kinit; aklog. Thinking about the advantage of it I realize that there is only one use case for me: Access a service authenticated as kerberos admin and have user access to AFS. But of course this is not standard for a normal user. And as complicated it is now it would not be no more complicated with your proposed solutions later in your mail...
 
> The alternative is to effectively "guess" what credentials we should be
> using, which is what NFSv4 does (rpc.gssd). That is, all you need to do
> to authenticate is to run a plain 'kinit' or equivalent (with no
> knowledge of AFS/NFS), and the kernel tries to find the ccache you used
> and turn it into a token itself. This approach has a noticeable number
> of cases where it does the wrong thing, and so you hear complaints about
> it from time to time. But when it works correctly, it's invisible, so I
> expect the only time you hear about it (from users) are the complaints.
> 
> But, at least for some environments, the downsides of rpc.gssd are
> smaller than the downsides of needing to run 'aklog' at all. I don't
> expect openafs to completely get rid of aklog and move to an rpc.gssd
> approach (I personally don't think I would like that), but I think there
> may be some compromises that would be helpful to people.

Because we do not have a batch system which supports accessing AFS users are forced to run simulations remotely via ssh if it is necessary to access data in AFS

So everybody running simulations remotely via ssh learns earlier or later what kinit and aklog does. Because just login and run a simulation is not enough:
- first they find out that you need a kerberos ticket and afs token which last long enough, or take care of renewing them
- later they find out that if the ssh connection breaks they loose the kerberos ticket and afs token. So it is necessary to work around this...

> Some possible approaches:
> 
>  - We could have a client option to make rpc.gssd-like behavior a
>    fallback, if no other credentials were set with e.g. 'aklog'.
>  
>  - We could have an option to turn on rpc.gssd-like behavior as a
>    fallback for a specific PAG. That is, within a pag you say something
>    like 'pagctl pick-my-creds --enable'. ('pagctl' doesn't exist yet, of
>    course; it's just an idea in my head)
> 
>  - We could have an option to aklog that would automatically renew
>    credentials using the information available to aklog at the time. For
>    example, if you run, say, 'aklog -autorenew', aklog would tell the
>    kernel its KRB5CCNAME and any other relevant information, and the
>    kernel would later on run an equivalent aklog command to obtain
>    credentials in exactly the same way for that PAG. For example, if
>    KRB5CCNAME was set to FILE:/tmp/foo1234, the kernel would later on
>    try to use the ccache file /tmp/foo1234 to obtain creds before the
>    existing creds expire.
> 
> With those last two, you still need to run some afs-specific command for
> authentication, but you only need to run it once for the entire life of
> the "session"/PAG. That's still annoying, but it removes the need for
> renewing credentials within the actual session, which is not always
> practical. (k5start/krenew works for many cases, but sometimes you don't
> have the ability to run your own command)

One problem regularly occurs is that a user underestimated the time the simulation will run and at the end it is not possible to save the data into AFS. A solution where it is not necessary to run aklog inside the PAG would I guess solve this problem.
Because the common way people run their simulation is the following:
* ssh to host
* screen
* get a long lasting kerberos ticket
* run a pagsh script which creates a copy of the kerberos ticket and runs aklog
* start the simulation, if possible from time to time run kinit -R; aklog in the simulation

If the kerberos ticket runs out of lifetime it is possible to login to the host an replace the kerberos ticket manually. But it is not possible to run a shell inside the right PAG

I do not know if krenew would also resolve this problem. People in our group do not use it for a reason I do not know.
 
> Anyway, I'm sending this to the -info list to try to get some feedback
> from other users. I've mentioned these ideas briefly to a few others,
> who seemed to want something in this direction, but I'd like to get
> opinions and feedback from as many sites as possible. The actual details
> of implementing these ideas is a discussion for developers, but just
> seeing what behavior people want is a discussion for here.
> 
> So, please speak up. Does this sound helpful do you? Or a bad idea? Or
> anything else? Feedback is appreciated, even if it's just a "yeah, that
> would be nice to have", or even "I don't really care".

This sounds like a nice feature which may make life easier for us and possible also solve some problems. I do not see disadvantages. Maybe somebody can point out some of them. 


regards
Markus
-- 
Markus Koeberl
Graz University of Technology
Signal Processing and Speech Communication Laboratory
E-mail: markus.koeberl@tugraz.at

--Boundary-01=_SR22Tx03E4rcjlb
Content-Type: text/html;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd">
<html><head><meta name="qrichtext" content="1" /><style type="text/css">
p, li { white-space: pre-wrap; }
</style></head><body style=" font-family:'DejaVu Sans Mono'; font-size:9pt; font-weight:400; font-style:normal;">
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">On Thursday 31 July 2014 22:29:47 Andrew Deason wrote:</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; Hi all,</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; I've had a few users and administrators complain to me from time to time</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; about the existence of 'aklog'. (By 'aklog' I really mean any mechanism</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; to convert krb5 tickets to AFS tokens, but I'm referring to them all as</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; 'aklog' for simplicity.) The need for an AFS-specific authentication</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; step is an annoyance for some, and for some others, prohibits the use of</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; AFS in some applications.</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt;</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; The first time I heard this I was a bit surprised, but that may be just</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; because I'm very used to the 'aklog' approach and find it intuitive. You</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; need to tell the kernel what credentials you want it to use for AFS</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; access; makes sense to me.</p>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; ">&nbsp;</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">After years of working with AFS it gets normal to use kinit; aklog. Thinking about the advantage of it I realize that there is only one use case for me: Access a service authenticated as kerberos admin and have user access to AFS. But of course this is not standard for a normal user. And as complicated it is now it would not be no more complicated with your proposed solutions later in your mail...</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"> </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; The alternative is to effectively &quot;guess&quot; what credentials we should be</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; using, which is what NFSv4 does (rpc.gssd). That is, all you need to do</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; to authenticate is to run a plain 'kinit' or equivalent (with no</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; knowledge of AFS/NFS), and the kernel tries to find the ccache you used</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; and turn it into a token itself. This approach has a noticeable number</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; of cases where it does the wrong thing, and so you hear complaints about</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; it from time to time. But when it works correctly, it's invisible, so I</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; expect the only time you hear about it (from users) are the complaints.</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; But, at least for some environments, the downsides of rpc.gssd are</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; smaller than the downsides of needing to run 'aklog' at all. I don't</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; expect openafs to completely get rid of aklog and move to an rpc.gssd</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; approach (I personally don't think I would like that), but I think there</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; may be some compromises that would be helpful to people.</p>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; ">&nbsp;</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Because we do not have a batch system which supports accessing AFS users are forced to run simulations remotely via ssh if it is necessary to access data in AFS</p>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; ">&nbsp;</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">So everybody running simulations remotely via ssh learns earlier or later what kinit and aklog does. Because just login and run a simulation is not enough:</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">- first they find out that you need a kerberos ticket and afs token which last long enough, or take care of renewing them</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">- later they find out that if the ssh connection breaks they loose the kerberos ticket and afs token. So it is necessary to work around this...</p>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; ">&nbsp;</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; Some possible approaches:</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt;  - We could have a client option to make rpc.gssd-like behavior a</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt;    fallback, if no other credentials were set with e.g. 'aklog'.</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt;  </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt;  - We could have an option to turn on rpc.gssd-like behavior as a</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt;    fallback for a specific PAG. That is, within a pag you say something</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt;    like 'pagctl pick-my-creds --enable'. ('pagctl' doesn't exist yet, of</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt;    course; it's just an idea in my head)</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt;  - We could have an option to aklog that would automatically renew</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt;    credentials using the information available to aklog at the time. For</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt;    example, if you run, say, 'aklog -autorenew', aklog would tell the</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt;    kernel its KRB5CCNAME and any other relevant information, and the</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt;    kernel would later on run an equivalent aklog command to obtain</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt;    credentials in exactly the same way for that PAG. For example, if</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt;    KRB5CCNAME was set to FILE:/tmp/foo1234, the kernel would later on</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt;    try to use the ccache file /tmp/foo1234 to obtain creds before the</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt;    existing creds expire.</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; With those last two, you still need to run some afs-specific command for</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; authentication, but you only need to run it once for the entire life of</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; the &quot;session&quot;/PAG. That's still annoying, but it removes the need for</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; renewing credentials within the actual session, which is not always</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; practical. (k5start/krenew works for many cases, but sometimes you don't</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; have the ability to run your own command)</p>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; ">&nbsp;</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">One problem regularly occurs is that a user underestimated the time the simulation will run and at the end it is not possible to save the data into AFS. A solution where it is not necessary to run aklog inside the PAG would I guess solve this problem.</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Because the common way people run their simulation is the following:</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">* ssh to host</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">* screen</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">* get a long lasting kerberos ticket</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">* run a pagsh script which creates a copy of the kerberos ticket and runs aklog</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">* start the simulation, if possible from time to time run kinit -R; aklog in the simulation</p>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; ">&nbsp;</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">If the kerberos ticket runs out of lifetime it is possible to login to the host an replace the kerberos ticket manually. But it is not possible to run a shell inside the right PAG</p>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; ">&nbsp;</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">I do not know if krenew would also resolve this problem. People in our group do not use it for a reason I do not know.</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"> </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; Anyway, I'm sending this to the -info list to try to get some feedback</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; from other users. I've mentioned these ideas briefly to a few others,</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; who seemed to want something in this direction, but I'd like to get</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; opinions and feedback from as many sites as possible. The actual details</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; of implementing these ideas is a discussion for developers, but just</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; seeing what behavior people want is a discussion for here.</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; So, please speak up. Does this sound helpful do you? Or a bad idea? Or</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; anything else? Feedback is appreciated, even if it's just a &quot;yeah, that</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">&gt; would be nice to have&quot;, or even &quot;I don't really care&quot;.</p>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; ">&nbsp;</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">This sounds like a nice feature which may make life easier for us and possible also solve some problems. I do not see disadvantages. Maybe somebody can point out some of them. </p>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; ">&nbsp;</p>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; ">&nbsp;</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">regards</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Markus</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">-- </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Markus Koeberl</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Graz University of Technology</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Signal Processing and Speech Communication Laboratory</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">E-mail: markus.koeberl@tugraz.at</p>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; ">&nbsp;</p></body></html>
--Boundary-01=_SR22Tx03E4rcjlb--