naanagon edited a comment on pull request #11516: URL: https://github.com/apache/kafka/pull/11516#issuecomment-975158641
> @naanagon , thanks for the PR. But I'm not sure if the change is necessary, because what we did for signature comparing is in the `isValid` method, and it's already compared with time-constant way. Could you elaborate more why you think this is necessary? Or point to me where in the code we did the `InternalRequestSignature#equals` and need time-constant comparing. > > Thank you. @showuon, thanks for taking a look. `isValid` method just compares signature in time-constant way. But same should happen when comparing objects which has sensitive information. Even though `InternalRequestSignature#equals` isn't being used but i thought it should be implemented properly. Motivation for this pr is [DelegationToken.java](https://github.com/apache/kafka/blob/074a03cca162f91ccdecc12eb84c6a45af75f6bf/clients/src/main/java/org/apache/kafka/common/security/token/delegation/DelegationToken.java#L63) and also `DelegationToken#equals` isn't being used but that was implemented properly. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
