-
Notifications
You must be signed in to change notification settings - Fork 112
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use separate streams for Runtime logging & logging pseudo-Node #1182
Comments
This may or may not be made simpler by using I think in any case it may be worth making logging more explicit, so that for instance, instead of using @daviddrysdale should we start with that? |
The two logging streams occur in distinct contexts:
To put it another way,
That makes me wonder whether having/maintaining two sets of wrapper macros will be worth the effort – it's not a distinction that's going to be visible to external developers. (Naming-wise, I guess |
I don't think they always appear in different context though, for instance (just a random one):
is a "safe" log, in that it does not depend on anything sensitive (though admittedly not many more under So in the log pseudo-node, the log statements would be "safe" because IFC constrains have already been checked by the node itself (or rather, by the runtime IFC mechanism, and by effectively fixing the label of the log node to "public"). Re: "can be debugged" policy, I think this just means that data must be public, in the current IFC model. With disjunctions, we may have a principal for debugging, but it still needs to be cryptographically bound to something (which may be the public key of who is expected to do the debugging, or a bearer token that the user grants them after the fact to allow the debugging after the fact). |
Ah, I think you're talking about a slightly different division that what I was intending to cover in this issue. My aim here was to cover a split between:
It sounds like you're wanting to subdivide things differently, into:
Is that roughly what you're suggesting? |
Yes that's a good summary, thanks! I think what I am suggesting should cover the use cases you described (if not, let me know, my intention was not to suggest something incompatible with yours, just more fine grained), plus allow us to have "allow-listed" safe log statements in the runtime that do not depend on data (for now manually checked, in the future perhaps with actual proofs, or at least with some tooling support?). Though the safe naming I suggested may not be very intuitive in the context of Rust, where usually things that need to be manually checked are marked as |
There two logically distinct streams of log messages:
log
crate, and pop out via whatever crate implements that façade. At the moment, the implementation is theenv_logger
crate (but see Investigate use ofslog
crate for logging #1088), and this is only enabled in builds that have theoak_debug
feature of the Runtime enabled (specifically, in theoak_loader
crate).oak_debug
build of the Runtime.However, at the moment the logging pseudo-Node emits the latter by calling
log!
, which means that:oak_debug
runtime drops all logging messages, rather than just dropping Runtime logs and emitting (IFC-allowed) application logs.So the logging pseudo-Node should emit app-driven messages with something other than
log!
.The text was updated successfully, but these errors were encountered: