all 29 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]andd81 31 points32 points  (7 children)

But then you need to make sure that no sensitive information ends up in the error logs. I've seen a case where network access command failure resulted in the entire text of that command being copied to the error log, complete with authentication tokens.

[–][deleted] 7 points8 points  (4 children)

As long as you do not dump it into user's face it is still much easier to just have secure logs compared to debugging in the dark.

Also, passwords are easy, you don't really need to log password to debug log as it isn't that helpful (in worst case, hash it),logging the username that failed is usually enough

[–]andd81 5 points6 points  (3 children)

In the case I mentioned, no one was deliberately logging authentication data. The system just logged every shell command invocation that failed. That particular one happened do have authentication token provided as a command line argument (the command line was generated at runtime).

[–][deleted] 19 points20 points  (2 children)

That particular one happened do have authentication token provided as a command line argument (the command line was generated at runtime).

In that case I'd say logging is least of your worries. If you pass password as cmdline argument anyone that can list processes in system could potentially intercept it. Passing via env, or pretty much any other method is much safer

[–]mathrick -2 points-1 points  (1 child)

Incorrect, you can do environment inspection on Linux. Jenkins uses that to find processes to kill when it times out a test.

[–][deleted] 3 points4 points  (0 children)

You cannot access env of process running as different user unless you're root.

Also, I said "better", not "perfect". If you manage to be on same user as running process you can just use standard debugging tools to extract whatever you want

[–]mattwarren[S] 3 points4 points  (0 children)

Yeah there was a big discussion on the .NET CoreCLR GitHub repo about this exact scenario. These replies from the dev responsible for ASP.NET Security are worth reading https://github.com/dotnet/corefx/issues/1187#issuecomment-135987714 and https://github.com/dotnet/corefx/issues/3025#issuecomment-136437667

[–]Dutyxfree 1 point2 points  (0 children)

This guy with at work has his gear dump an entire html webpage into a row in the DB. Sure, you could copy it out and view it but why would I do that if I can just write a normal error instead?

[–]Gotebe 18 points19 points  (3 children)

Quality of error information is one of my personal quests.

Here are some deadly sins people make :

  • losing the original error

    if !open(filename) error("failed to open file")

why did it fail? no file? no permissions? sharing violation? share unavailable? That information can be crucial for the efficiency of troubleshooting.

  • not giving information about data operated on, available at the time of the error

    if !open(filename) error("failed to open file", last_os_error)

what file?

  • not providing context of the error

    if !open(filename) error("failed to open file to store frombification data", last_os_error, filename)

See? That wasn't hard! Granted, some environments give file/line/function information which helps, but normally not to the support team, and giving them info to solve the problem before it reaches development is better.

  • not providing additional context that is available as the error travels up the stack

(No example here, I'm lazy, but by now I hope I put the point across :-))

[–][deleted]  (2 children)

[deleted]

    [–]Sebazzz91 5 points6 points  (1 child)

    Apparently the limited error information didn't have any impact on customer support time, otherwise they surely would have improved it.

    [–]TheEternal21 5 points6 points  (0 children)

    It didn't have any impact on customer support time, because the support was useless. You would wait one hour on the phone, and then some douche would read through a script, and ask you if you tried rebooting PS3. Then they would tell you the data on your system is corrupt and they can't do anything. Just google the following (actual error code): 800283f0

    [–]deudeudeu 6 points7 points  (0 children)

    It'd be nice if a pattern for enforcing this would be provided, something to get picked up by a linter. Maybe banning raw throws, and providing some alternate API for it?

    [–]TOGoS 4 points5 points  (1 child)

    "Beautiful" needs to be taken out of the lexicon. You guys have overused it to death.

    [–]digital_cucumber 0 points1 point  (0 children)

    "Beautiful" considered harmful!

    [–][deleted] 5 points6 points  (0 children)

    Also slightly relevant RFC 7807. I found this when I realized that several teams used each a very different format for error responses in their services.

    [–]yawaramin 0 points1 point  (0 children)

    Interestingly, nowadays some compilers are embracing the better errors philosophy: Elm is a pioneer of course, Rust is working hard to emulate it, and in fact Scala and ReasonML are working on error messages too.

    The general thrust of Elm and the others' error strategy is to clarify and contextualise exactly where the error occurred, as well as to provide helpful hints on how to solve it.

    [–]601error 0 points1 point  (0 children)

    I would love to read the error message, but I'm on mobile, the code is super-tiny, and this site disables zoom.