chore_: remove private information for error log

[qfrank]

relate comment

I've also tried search with keyword: fmt.Error :
fmt.Errorf-search-result.txt.zip

truncated some sensitive information in error messages.

[status-im-auto]

Jenkins Builds

Click to see older builds (49)

❔	Commit	#️⃣	Finished (UTC)	Duration	Platform	Result
✔️	d3404d3	#1	2025-02-07 10:25:54	~5 min	linux	📦zip
✔️	d3404d3	#1	2025-02-07 10:25:54	~5 min	macos	📦zip
✔️	d3404d3	#1	2025-02-07 10:26:11	~5 min	ios	📦zip
✔️	d3404d3	#1	2025-02-07 10:26:34	~5 min	windows	📦zip
✖️	d3404d3	#1	2025-02-07 10:26:40	~5 min	tests-rpc	📄log
✔️	d3404d3	#1	2025-02-07 10:26:40	~6 min	android	📦aar
✔️	d3404d3	#1	2025-02-07 10:26:40	~5 min	macos	📦zip
✔️	d3404d3	#1	2025-02-07 10:51:41	~30 min	tests	📄log
❌	e83da29	#2	2025-02-10 07:42:31	~1 min	ios	📄log
❌	e83da29	#2	2025-02-10 07:43:07	~2 min	macos	📄log
❌	e83da29	#2	2025-02-10 07:43:10	~2 min	android	📄log
❌	e83da29	#2	2025-02-10 07:43:25	~2 min	windows	📄log
❌	e83da29	#2	2025-02-10 07:43:52	~2 min	linux	📄log
✖️	e83da29	#2	2025-02-10 07:44:21	~3 min	tests-rpc	📄log
✖️	e83da29	#2	2025-02-10 07:44:29	~3 min	tests	📄log
❌	e83da29	#2	2025-02-10 07:44:30	~3 min	macos	📄log
❌	f5be723	#3	2025-02-10 07:45:55	~1 min	ios	📄log
❌	f5be723	#3	2025-02-10 07:46:34	~2 min	android	📄log
❌	f5be723	#3	2025-02-10 07:46:35	~2 min	macos	📄log
❌	f5be723	#3	2025-02-10 07:46:42	~2 min	windows	📄log
✖️	f5be723	#3	2025-02-10 07:46:52	~2 min	tests	📄log
❌	f5be723	#3	2025-02-10 07:47:19	~2 min	linux	📄log
❌	f5be723	#3	2025-02-10 07:48:00	~3 min	macos	📄log
✖️	f5be723	#3	2025-02-10 07:48:14	~3 min	tests-rpc	📄log
✔️	24cd545	#4	2025-02-10 11:35:25	~3 min	macos	📦zip
✔️	24cd545	#4	2025-02-10 11:35:53	~3 min	windows	📦zip
✔️	24cd545	#4	2025-02-10 11:37:06	~5 min	macos	📦zip
✖️	24cd545	#4	2025-02-10 11:37:16	~5 min	tests-rpc	📄log
✔️	24cd545	#4	2025-02-10 11:37:31	~5 min	linux	📦zip
✔️	24cd545	#4	2025-02-10 11:38:07	~6 min	android	📦aar
✔️	24cd545	#4	2025-02-10 12:01:48	~29 min	tests	📄log
✔️	24cd545	#5	2025-02-10 12:32:32	~3 min	tests-rpc	📄log
✔️	24cd545	#4	2025-02-10 18:41:52	~7 hr 9 min	ios	📦zip
✖️	9a4053b	#6	2025-02-14 03:47:29	~1 min	tests-rpc	📄log
✔️	9a4053b	#5	2025-02-14 03:50:20	~4 min	windows	📦zip
✔️	9a4053b	#5	2025-02-14 03:50:30	~4 min	macos	📦zip
✔️	9a4053b	#5	2025-02-14 03:51:05	~4 min	ios	📦zip
✔️	9a4053b	#5	2025-02-14 03:51:25	~5 min	macos	📦zip
✔️	9a4053b	#5	2025-02-14 03:51:39	~5 min	linux	📦zip
✔️	9a4053b	#5	2025-02-14 03:52:14	~6 min	android	📦aar
✔️	9a4053b	#5	2025-02-14 04:16:13	~29 min	tests	📄log
✖️	200e9cb	#7	2025-02-18 04:51:20	~1 min	tests-rpc	📄log
✔️	200e9cb	#6	2025-02-18 04:54:10	~4 min	macos	📦zip
✔️	200e9cb	#6	2025-02-18 04:54:39	~4 min	ios	📦zip
✔️	200e9cb	#6	2025-02-18 04:54:59	~5 min	macos	📦zip
✔️	200e9cb	#6	2025-02-18 04:55:01	~5 min	windows	📦zip
✔️	200e9cb	#6	2025-02-18 04:55:32	~5 min	linux	📦zip
✔️	200e9cb	#6	2025-02-18 04:56:14	~6 min	android	📦aar
✔️	200e9cb	#6	2025-02-18 05:20:54	~31 min	tests	📄log

❔	Commit	#️⃣	Finished (UTC)	Duration	Platform	Result
✔️	dcde21c	#7	2025-02-18 05:49:54	~3 min	android	📦aar
✔️	dcde21c	#7	2025-02-18 05:50:03	~3 min	ios	📦zip
✔️	dcde21c	#7	2025-02-18 05:50:39	~3 min	windows	📦zip
✔️	dcde21c	#7	2025-02-18 05:52:06	~5 min	macos	📦zip
✔️	dcde21c	#7	2025-02-18 05:52:29	~5 min	macos	📦zip
✔️	dcde21c	#7	2025-02-18 05:52:47	~5 min	linux	📦zip
✔️	dcde21c	#8	2025-02-18 05:59:41	~12 min	tests-rpc	📄log
✔️	dcde21c	#7	2025-02-18 06:18:09	~31 min	tests	📄log
✔️	f172f29	#8	2025-02-19 11:42:26	~2 min	android	📦aar
✔️	f172f29	#8	2025-02-19 11:42:59	~3 min	ios	📦zip
✔️	f172f29	#8	2025-02-19 11:44:43	~5 min	windows	📦zip
✔️	f172f29	#8	2025-02-19 11:44:59	~5 min	macos	📦zip
✔️	f172f29	#8	2025-02-19 11:45:21	~5 min	linux	📦zip
✔️	f172f29	#8	2025-02-19 11:46:08	~6 min	macos	📦zip
✔️	f172f29	#9	2025-02-19 11:50:30	~10 min	tests-rpc	📄log
✖️	f172f29	#8	2025-02-19 12:10:59	~31 min	tests	📄log

[codecov]

Codecov Report

Attention: Patch coverage is 20.56738% with 112 lines in your changes missing coverage. Please review.

Project coverage is 59.63%. Comparing base (b2cd7bd) to head (dcde21c).

Files with missing lines	Patch %	Lines
server/handlers.go	30.00%	14 Missing ⚠️
mobile/status.go	0.00%	10 Missing ⚠️
protocol/messenger_communities.go	12.50%	7 Missing ⚠️
services/communitytokens/service.go	0.00%	7 Missing ⚠️
services/wallet/collectibles/controller.go	25.00%	6 Missing ⚠️
services/wallet/collectibles/manager.go	0.00%	6 Missing ⚠️
protocol/linkpreview_unfurler_status.go	0.00%	5 Missing ⚠️
api/geth_backend.go	20.00%	4 Missing ⚠️
protocol/messenger.go	33.33%	4 Missing ⚠️
protocol/messenger_share_urls.go	0.00%	4 Missing ⚠️
... and 24 more

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #6334      +/-   ##
===========================================
- Coverage    59.67%   59.63%   -0.04%     
===========================================
  Files          865      865              
  Lines       112981   112995      +14     
===========================================
- Hits         67418    67387      -31     
- Misses       37727    37773      +46     
+ Partials      7836     7835       -1     

Flag	Coverage Δ
functional	0.45% <0.00%> (-0.01%)	⬇️
unit	59.63% <20.56%> (-0.04%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
common/utils.go	82.14% <100.00%> (+4.36%)	⬆️
protocol/messenger_community_shard.go	70.83% <100.00%> (ø)
services/wallet/router/pathprocessor/errors.go	100.00% <ø> (ø)
account/accounts.go	57.67% <0.00%> (ø)
protocol/communities/manager.go	65.35% <0.00%> (-0.17%)	⬇️
protocol/identity/utils.go	90.47% <66.66%> (ø)
protocol/messenger_handler.go	59.62% <0.00%> (ø)
protocol/messenger_store_node_request_manager.go	41.60% <0.00%> (ø)
protocol/storenodes/database.go	72.86% <0.00%> (ø)
...s/rpcfilters/transaction_sent_to_upstream_event.go	73.58% <0.00%> (ø)
... and 27 more

... and 24 files with indirect coverage changes

[seanstrom]

Looks good ✅

Though I was wondering if it's possible to not redact the error messages when running on a development build. Maybe that's not a wise choice, but I was thinking that sometimes the logs were useful for tracing some things. Thoughts?

[qfrank]

Though I was wondering if it's possible to not redact the error messages when running on a development build. Maybe that's not a wise choice, but I was thinking that sometimes the logs were useful for tracing some things.

Agree. WDYT? @osmaczko

[ilmotta]

Though I was wondering if it's possible to not redact the error messages when running on a development build.

My 2 cents @seanstrom @qfrank: the logging model relies on levels, if we break this model we will be adding unnecessary complexity. Could be risky as well because we would need to be 100% sure the release builds will have error logs redacted correctly, whatever mechanism we come up with.

Maybe that's not a wise choice, but I was thinking that sometimes the logs were useful for tracing some things.

If there's an error returned from Go code and there's a need to log private data, I think surrounding code should provide the necessary context via other log levels (like debug, or trace).

[fryorcraken]

this is NO GO to me. it removes information such as full message id. Which is then going to make impossible to trace message reliability issues.

I think it's fine to ensure that message content is not shared.

We could also consider that full message id only appear in "trace" and not "debug".

But such a change may lead to create issue in both bug investigation and benchmarking cc @AlbertoSoutullo

Also, transfer of chat protocol ownership has been done to the waku chat team. While we are working on setting the right boundary, we need to ensure that the chat team is in the loop of this kind of changes cc @plopezlpz

[qfrank]

this is NO GO to me. it removes information such as full message id. Which is then going to make impossible to trace message reliability issues.

I think it's fine to ensure that message content is not shared.

We could also consider that full message id only appear in "trace" and not "debug".

But such a change may lead to create issue in both bug investigation and benchmarking cc @AlbertoSoutullo

Also, transfer of chat protocol ownership has been done to the waku chat team. While we are working on setting the right boundary, we need to ensure that the chat team is in the loop of this kind of changes cc @plopezlpz

I tried to avoid truncate full message/peer id etc as I knew the message tracing requirement, if there exist in this PR that must be my mistake, I'll recheck @fryorcraken

[AlbertoSoutullo]

this is NO GO to me. it removes information such as full message id. Which is then going to make impossible to trace message reliability issues.

I think it's fine to ensure that message content is not shared.

We could also consider that full message id only appear in "trace" and not "debug".

But such a change may lead to create issue in both bug investigation and benchmarking cc @AlbertoSoutullo

Also, transfer of chat protocol ownership has been done to the waku chat team. While we are working on setting the right boundary, we need to ensure that the chat team is in the loop of this kind of changes cc @plopezlpz

Logs in trace make the experiments extremely more complicated because of the overhead in logging.
Also, we will always need information regarding which peer id sent the message, which one received it, the message hash, timestamps...
Without that information, it is impossible to do a proper analysis.

[fryorcraken]

Copying my message from Discord to retain context:

I tried to avoid truncate full message/peer id etc as I knew the message tracing requirement, if there exist in this PR that must be my mistake, I'll recheck @fryorcraken

Thanks for that. I'll let @pabl0___ review as he is closer to the matter.

I don't have a strong opinion on making Status a 100% privacy app

There is nuance to that. I think it's important to better define "privacy" in this context. Privacy can usually be distilled down to "linkability" between a user (aka PII aka IP or wallet address) and an action/data (aka a message)

In this context, why would one censor logs?
The obvious answer is what if those logs "leak"?

@osmaczko has already highlighted that such leakage should be out-of-scope for the Status app, as long as standard practices are followed:

• For desktop, it means storing logs in a folder dedicated to the app (and not a remote server for example).
• For android, it means storing them in the right android/data repo, which are usually not accessible by other apps, etc.

---

Now, we know very well from our domain that there is also the risk of users sharing logs for bug investigation purposes (which is what I called "debugging" earlier, I did not strictly mean running gdb).
We know very well to not log seeds and private keys in logs, because user don't know better - which is fair.

I think this is the core of the question: do we want to ensure unlinkability between a user's github login, and them being the author of a specific message, or participation to a community?

Well, the "good" (it's not good) news for now, is that Waku does not provide strong sender privacy (just yet). so the logs are not the weakest link (for now).

What we do want, is full msg id, especially for logs shared by CCs, QA, and test runs, so that we can trace messages in case of reliability issues, across system.

So it seems fair to do:

• debug mode: full msg id
• info/error: truncated msg id

Now, I realise I may have jumped the gun with my comment here: #6334 (comment)
As you did not truncate message ids in debug level, but only in error level.

My apologies. And you have pushed back here 👍

In general, let's ensure waku chat team is asked for review of changes in chat code (ie @plopezlpz ) please.

[ilmotta]

So it seems fair to do:

debug mode: full msg id
info/error: truncated msg id

Makes sense @fryorcraken. We should indeed use the log levels, and the error level we should try to leak as little as possible because it is a critical level for investigations from release builds.

There is nuance to that. I think it's important to better define "privacy" in this context. Privacy can usually be distilled down to "linkability" between a user (aka PII aka IP or wallet address) and an action/data (aka a message)

Right 👍🏼 And we already discussed some nuances regarding what privacy can or cannot be in the recent past, for example, that we shouldn't log addresses. I don't recall us ever agreeing exactly on the mapping between what data can be logged at which level and how much the data should be redacted in case we need some traceability. This seems to be a good exercise for us.

Status already aligned some time ago with the Legal team that we will not ask users to share logs, no matter the level. We also cannot guarantee logs at the debug level won't leak some data that could be considered private or exploited because this level is supposed to be used for development pretty much. If the user shares logs they are always going to do so at their own risk. Additionally, we are trying to make pre-login logs safer to share at the error level, for exceptional cases where the user is locked out due to bugs.

For android, it means storing them in the right android/data repo, which are usually not accessible by other apps, etc.

In mobile devices, we are starting the work to store logs only within the protected app directory. Nowadays in Android, logs like geth.log are written in the easily accessible Downloads directory.

In general, let's ensure waku chat team is asked for review of changes in chat code (ie @plopezlpz ) please.

Thanks for the reminder 👍🏼

Logs in trace make the experiments extremely more complicated because of the overhead in logging

@AlbertoSoutullo would logs at the debug level be acceptable? What is the overhead you mention in your experience? Too much noise to filter out? Perhaps status-go log namespaces could be useful to further keep noise in check? cc @osmaczko

[AlbertoSoutullo]

@ilmotta From my experience, when we have a heavy logging we need to be careful with not overloading the monitoring system.
I don't know how much of trouble would be to add specific logs under a compile flag. If debug is not extremely heavy, we can work around that. It will be slower, but manageable.

[ilmotta]

@ilmotta From my experience, when we have a heavy logging we need to be careful with not overloading the monitoring system. If debug is not extremely heavy, we can work around that. It will be slower, but manageable.

The debug level is quite noisy and may output MBs per minute if I remember correctly. With log namespaces you can control the log level per namespace

status-go/services/ext/api.go

Lines 1806 to 1808 in f494d09

	func (api *PublicAPI) SetLogNamespaces(request *requests.SetLogNamespaces) error {
	return api.service.messenger.SetLogNamespaces(request)
	}

, thus I imagine custom namespaces could be used to narrow logs to only certain parts of the messenger?

I don't know how much of trouble would be to add specific logs under a compile flag.

Interesting :) I think I understand what you mean, but could you elaborate on how you imagine using these "specific" logs? When would you use them instead of the normal logging system based on levels?