[YAMos-dev] Re: Ticket #90 (Debug Output without private Data)

  • From: Jens Langner <Jens.Langner@xxxxxxxxxxxxxx>
  • To: yamos-dev@xxxxxxxxxxxxx
  • Date: Fri, 12 Mar 2010 12:30:18 +0100

Hi Frank,

Am 12.03.10 11:28, schrieb Frank Weber:

>>> Has anybody opinions against the patch?
>> Yes, I do ;) But as I want to make sure you understand why I feel
>> that your patch might not be appropriate for us, I explain why:
>> 1. It would bring down the general performance of the debug
>> output quite considerably because on every output the string
>> would have to be parsed before being output. Just think about
>> large outputs. In addition, the debug output in its current form
>> already slows down the performance of YAM a lot and adding that
>> IMHO unnecessary functionality would bring it down even more.
> My slogan also in my real life is security first.
> Then follow speed of course. :-)

Well, this is actually a common german slogan and not a private one from
you ;)

>> 2. It would prevent debug statements which I tend to us: "time
>> request issued@10:00:00" because the "@" sign is not only used
>> for email addresses.
> I check that already and *all* at signs are followed by a space
> in the current debug output.

Ok, but this was only supposed to be an example so that you get the idea
what I mean. It would definitly limit us in what we want to output. For
example, how can I then explicitly output an email address in case I
require that for some debugging reason?

>> 3. E-mail adresses are not as sensitive information like
>> passwords. And for the password case we already addressed your
>> request in ticket #90.
> Not sensitive information for you and for me but other people have of
> course another opinion.

Definitly, but still the gap between what is really sensitive
information and what is not so sensitive information is clear. Passwords
are more important to not be output than email addresses. That's all
what I am arguing about.

>> 4. It works around the main problem: The user himself is
>> responsible for submitting information without any sensitive
>> information he might feel might be necessary to be left out.
> Do you know how many a user must change in such log? Depending on the
> debuglevel of course. An average user would not replace so much in
> the log. He might prefer to not sending such a logfile because of the
> lot of work.

The same "search&destroy" approach can be done in every text editor. The
user only has to fire up his favourite text editor and do a
"search&replace" for email addresses.

>> 5. You cannot catch all cases of stripping private information
>> anyway. Just think about an email with private information in
>> there. Something from his bank account or a private communication
>> with his girlfriend or even the real name of persons he don't
>> want to get affiliated to.
> Yes of course. But you know email addresses are easy to find by a bot
> and can be used to send mass of spam mails.

I know, but the point is still valid that we would still have to
instruct users to check their debug logs for private information before
sending them over to us.

>> 6. Debug output is meant to be "DEBUG" stuff and not for general
>> use. If a user is requested to sent that information to us he
>> always is/should be informed about stripping out all private
>> information be might think might be necessary. That is really all
>> we can/should do.
> See also point 5.

I did, but I think my point is still valid that a user have to be
information/instructed anyway.

>> So I am very sorry, but I still have to reject your patch as IMHO
>> it just works around the main problem (user being responsible)
>> and it would make our (developers) life a little bit harder as
>> the debug output would slow down for no particular reason.
> try to see it also from the POV of an average user and think again
> about it...

The average user is not supposed to send us debug information himself
because he/she is anyway not trained on how to catch the output and
which debug levels to enable. So in case one of our developers requests
a debug output from an average user he should properly instruct the user
to take care not to expose private information when sending the
logfiles. The same applies to config files or mail files a developer
might need for debugging. Also, even if we would have the email address
stripping implemented we still have to instruct users to check their
catched debug log because of point (5).

In addition, the same arguments you broad up would be valid for the
"DEBUG" option a user can pass to YAM to output the TCP/IP traffic.
There we also don't strip anything because it might be required by the
user (think about checking if server authentication works or not).

So I am sorry, and I really don't want to disappoint you, but I am still
not convinced that your patch represents an improvement for our development.

best regards,
Jens Langner, Dresden/Germany
YAM developer mailing list - http://www.freelists.org/list/yamos-dev
Listserver help...: mailto:yamos-dev-request@xxxxxxxxxxxxx?subject=HELP
Unsubscribe: mailto:yamos-dev-request@xxxxxxxxxxxxx?subject=UNSUBSCRIBE

Other related posts: