Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set the default log level to error instead of disabling it for the release build. #21538

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from

Conversation

qfrank
Copy link
Contributor

@qfrank qfrank commented Oct 31, 2024

see relate comment for details

status: ready.

@qfrank qfrank requested review from ilmotta and flexsurfer October 31, 2024 07:12
@qfrank qfrank self-assigned this Oct 31, 2024
@qfrank qfrank requested a review from jakubgs as a code owner October 31, 2024 07:12
@qfrank
Copy link
Contributor Author

qfrank commented Oct 31, 2024

I think we don't need manual QA for this simple change? @ilmotta @churik

@status-im-auto
Copy link
Member

status-im-auto commented Oct 31, 2024

Jenkins Builds

Commit #️⃣ Finished (UTC) Duration Platform Result
✔️ 63226f7 #1 2024-10-31 07:18:03 ~5 min tests 📄log
✔️ 63226f7 #1 2024-10-31 07:19:30 ~6 min android-e2e 🤖apk 📲
✔️ 63226f7 #1 2024-10-31 07:21:34 ~8 min android 🤖apk 📲
✔️ 63226f7 #1 2024-10-31 07:22:17 ~9 min ios 📱ipa 📲

@qfrank qfrank requested a review from siddarthkay October 31, 2024 07:23
Copy link
Member

@flexsurfer flexsurfer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

before doing this , we need to make sure we don't leak any user data

@qfrank
Copy link
Contributor Author

qfrank commented Oct 31, 2024

before doing this , we need to make sure we don't leak any user data

That seems like a hard job. Probably need to go through our whole code base? Or do you have any suggestions? @flexsurfer

@flexsurfer
Copy link
Member

That seems like a hard job

yes it is, i don't see any other options :(

@jakubgs
Copy link
Member

jakubgs commented Oct 31, 2024

Indeed, we have to be quite careful about what we put in log at each step, and if we are unsure of what is in the error logs currently then we need to audit that.

Or we need a layer on top of the logger that obscures potentially sensitive info based on regex/other rules.

@ilmotta
Copy link
Contributor

ilmotta commented Oct 31, 2024

While I of course do agree we should double-check or even audit we are not leaking private data in error logs, the logs are going to be stored locally on device (although not encrypted at rest) and we should not ask users for their logs (agreement with legal team).

If the user do want to share logs is because they assume the risk, but we don't ask directly and we don't endorse this idea. This is similar to almost all logs written in our own devices, we shouldn't share them with anybody.

Even if we audit the entire code base before every release (completely unrealistic) we will never be able to say for sure logs are safe to share. Another point is that users can change the log level, in which case it's guaranteed that we will leak private data (like an account address), hence asking users to share is always a dangerous business.

I found ~400 references to error.Log in status-go, so it's reasonable to give a good pass in the code. I didn't check the client code (there are 165 references to log/error, most only print whatever is returned by status-go).

These are suspicious or bad practices to log at the error level:

This one concerns me more:


It might be too much to check for 2.31 @qfrank, in which case feel free to park this issue.

In practice, what problem are we trying to solve? To me, the main reason to change the default log level is to help us diagnose bugs that happen during the onboarding (where the default log level is disabled) because after login, we (and users) are able to change the log level in Advanced Settings, so there's no need to change the default log level. That's why I suggested in another issue that the onboarding logs should be segregated from other logs, separate file, separate level, nothing was decrypted, wallet signals are not running, etc so many differences (more details here #21501 (comment)).

And changing the default log level would be mostly useful to us and QAs, when we are able to replicate bugs during onboarding in release builds. It's not really about asking users to share logs, although a user who's locked out could consider that (true, sad story).

@qfrank
Copy link
Contributor Author

qfrank commented Oct 31, 2024

This one concerns me more

When I saw this, I just want to die ...

because after login, we (and users) are able to change the log level in Advanced Settings, so there's no need to change the default log level

But random issue is not friendly.

Let's park this issue ATM .. Thank you all for your input! ❤️

@ilmotta
Copy link
Contributor

ilmotta commented Oct 31, 2024

When I saw this, I just want to die ...

In which way @qfrank? 😅 I think capturing and logging panics are very useful and you did a very important work related to that. When I reviewed, I missed the fact that this is debug data, therefore shouldn't use the error level. Even the code uses string(debug.Stack()), a good indicator that we shouldn't log at the error level ;)

Let's park this issue ATM .. Thank you all for your input!

We will come back to this problem I'm sure. Thanks @flexsurfer @jakubgs for raising the red flag.

@igor-sirotin
Copy link
Contributor

igor-sirotin commented Dec 13, 2024

I agree with @ilmotta that there's no way to ensure that logs don't leak any secrets. Even if we check all logs now, they can easily appear later.

We have this initiatives in status-go, which I believe can increase our confidence:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: CONTRIBUTOR
Development

Successfully merging this pull request may close these issues.

6 participants