[ https://issues.apache.org/jira/browse/SLING-10227?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17303195#comment-17303195 ]
Amit Jain edited comment on SLING-10227 at 3/17/21, 8:41 AM: ------------------------------------------------------------- Ok I think the changes are not misaligned as I noted above. I think we should also remove [this|https://github.com/apache/sling-org-apache-sling-distribution-journal-messages/commit/18883d974b3bcfa680ec014f0c62a28bb83a2fba#diff-9f81b3a1b974f72fdf4895f53e12ebe22007536562a63a28889a32fb46eaa88dR77-R80] as the implementations can for e.g. have a pre-signed url which could be accessed before the expiry. cc/ [~tmaret] was (Author: amitj): Ok I think the changes are not misaligned as I noted above. I think we should also remove [this|https://github.com/apache/sling-org-apache-sling-distribution-journal-messages/commit/18883d974b3bcfa680ec014f0c62a28bb83a2fba#diff-9f81b3a1b974f72fdf4895f53e12ebe22007536562a63a28889a32fb46eaa88dR77-R80] as the implementations can for e.g. have a pre-signed url which could be accessed before the expiry. > Improvement in distribution logging to log id generated for binary reference > and not log reference > -------------------------------------------------------------------------------------------------- > > Key: SLING-10227 > URL: https://issues.apache.org/jira/browse/SLING-10227 > Project: Sling > Issue Type: Improvement > Components: Content Distribution > Reporter: Amit Jain > Priority: Major > > PackageDistribution also logs the binary reference which might log > implementation details leaking out some secrets. > Proposed > [change|https://github.com/apache/sling-org-apache-sling-distribution-journal/compare/master...amit-jain:master] > which is now upstaged with recent > [changes|https://github.com/apache/sling-org-apache-sling-distribution-journal/blame/479dcb4f9784a152ebcc3a37fa6e172544754911/src/main/java/org/apache/sling/distribution/journal/impl/publisher/DistributionPublisher.java#L281-L282]. > [~tmaret] What's the way forward, I think we should only log certain elements > and not all the package contents which besides the security issues can be > quite heavy -- This message was sent by Atlassian Jira (v8.3.4#803005)