[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TYPO3-dev] Depreciation log grows too fast and too big



Hi.

On 01.04.2009 07:27 Xavier Perseguers wrote:
> IIRC there was such a discussion on the core list and people there did
> not want to introduce such an option. At last, the goal is not to annoy
> people with insipid log entries but to make admin awares that they use
> old extensions that should be patched/upgraded/replaced ASAP.
>

We should have learned from the security review project, that educating
people is a honorable goal, but does not automatically work as excepted.
Nowadays one has to click a checkbox in the extension manager to be able
to have access to most of the extension. IMHO the educative effects of
this are:
1) confusion (EM not working as expected),
2) search for and apply solution,
3) keep on installing insecure extensions (people have been informed but
left alone without practical solutions)
4) get convinced that the security review project is a failure.

This is not meant as a critique against the security team. I once was
part of it and was a strong prosecutor of the reviews. But now I changed
my mind.

> itself. I think this is where the problem is: introducing this
> deprecation feature without taking care of quickly enough making the
> core compatible with it.

No it's not. The problem is not that it grows fast, but that it grows
infinitely by default. Thanks to the core bugs, we had the chance to see
how annoying this logfile could be.

> 
> This deprecation log makes sense and should not be removed or at least
> not by default. But core should very soon become compatible and perhaps
> a install note should tell sysadmins that adding a rule to their
> logrotate config might be a good idea...
> 

ATM the log file is located in typo3conf. This is quite annoying,
because www has access to it. No chance to change that without ugly code
hacks (including .htaccess) The obscurity of the hashed filename alone
doesn't hide the file from outside (the investigation of GhostNet
demonstrated that).
The routines are designed to let the file grow endless without a
build-in option. This is critical for any system regardless how fast it
happens.
In my eyes these are two critical flaws, which got introduced by design.
Not all people have access to logrotate (think of managed webspace).

So you would get my +1 for this patch with one cosmetic exception:
change
$TYPO3_CONF_VARS['SYS']['enableDeprecationLogFile']
to
$TYPO3_CONF_VARS['SYS']['enableDeprecationLog']
(see bugtracker)

-- 
cheers,
Steffen

http://www.t3node.com/
_______________________________________________
TYPO3-dev mailing list
[email protected]
http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-dev