We also need to sanitize the actual debug log messages (not just the first one during bootstrap), because all agents end up reporting their passwords via the API, as well as users, etc. So it isn't *just* sanitizing this one message. Though I also agree that I've definitely been aided by looking at the jenv contents in pastes, so I'd like to keep the sanitized form available.
John =:-> On Thu, May 29, 2014 at 5:23 AM, Ian Booth <[email protected]> wrote: > +1 on not killing the jenv logging - we just need to sanitise out the > secrets. > > On 29/05/14 11:18, Andrew Wilkins wrote: > > On Thu, May 29, 2014 at 4:25 AM, Nate Finch <[email protected] > >wrote: > > > >> Today I learned CI isn't running with --debug because they don't want to > >> expose sensitive data in their jenv... which gets logged when you run > with > >> --debug. However, it also means that we don't get all our really useful > >> debug log messages when something breaks in CI. > >> > >> I made a fix for this (deleting the line that logs the jenv). Please > let > >> me know if there's any reason we shouldn't do this. Logging people's > >> passwords/secrets is generally a big security no-no anyway, so I hope it > >> won't be controversial. > >> > > > > I'm +1 on not logging secrets, but I think not logging the .jenv at all > > will come back to bite us when we're debugging. It'd be better just to > > sanitise the output by using the EnvironProvider.SecretAttrs method. > > > > Also, we log the bootstrap script, and that contains the full bootstrap > > config. That needs to be sanitised (or suppressed) as well. > > > > > >> https://codereview.appspot.com/98580048 > >> > >> -Nate > >> > >> -- > >> Juju-dev mailing list > >> [email protected] > >> Modify settings or unsubscribe at: > >> https://lists.ubuntu.com/mailman/listinfo/juju-dev > >> > >> > > > > > > > > -- > Juju-dev mailing list > [email protected] > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/juju-dev >
-- Juju-dev mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju-dev
