[jira] [Comment Edited] (SLING-10227) Improvement in distribution logging to log id generated for binary reference and not log reference

Wed, 17 Mar 2021 01:42:03 -0700 


    [ 
https://issues.apache.org/jira/browse/SLING-10227?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17303195#comment-17303195
 ] 

Amit Jain edited comment on SLING-10227 at 3/17/21, 8:41 AM:
-------------------------------------------------------------

Ok I think the changes are not misaligned as I noted above.

I think we should also remove 
[this|https://github.com/apache/sling-org-apache-sling-distribution-journal-messages/commit/18883d974b3bcfa680ec014f0c62a28bb83a2fba#diff-9f81b3a1b974f72fdf4895f53e12ebe22007536562a63a28889a32fb46eaa88dR77-R80]
 as the implementations can for e.g. have a pre-signed url which could be 
accessed before the expiry.

cc/ [~tmaret]


was (Author: amitj):
Ok I think the changes are not misaligned as I noted above.

I think we should also remove 
[this|https://github.com/apache/sling-org-apache-sling-distribution-journal-messages/commit/18883d974b3bcfa680ec014f0c62a28bb83a2fba#diff-9f81b3a1b974f72fdf4895f53e12ebe22007536562a63a28889a32fb46eaa88dR77-R80]
 as the implementations can for e.g. have a pre-signed url which could be 
accessed before the expiry.

> Improvement in distribution logging to log id generated for binary reference 
> and not log reference
> --------------------------------------------------------------------------------------------------
>
>                 Key: SLING-10227
>                 URL: https://issues.apache.org/jira/browse/SLING-10227
>             Project: Sling
>          Issue Type: Improvement
>          Components: Content Distribution
>            Reporter: Amit Jain
>            Priority: Major
>
> PackageDistribution also logs the binary reference which might log 
> implementation details leaking out some secrets.
> Proposed 
> [change|https://github.com/apache/sling-org-apache-sling-distribution-journal/compare/master...amit-jain:master]
>  which is now upstaged with recent 
> [changes|https://github.com/apache/sling-org-apache-sling-distribution-journal/blame/479dcb4f9784a152ebcc3a37fa6e172544754911/src/main/java/org/apache/sling/distribution/journal/impl/publisher/DistributionPublisher.java#L281-L282].
> [~tmaret] What's the way forward, I think we should only log certain elements 
> and not all the package contents which besides the security issues can be 
> quite heavy



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to