If you’ve been writing Go for a while, you can skip to the code at the end of this post. Logging just happens to be one of the most common use-cases and makes for a great example. The patterns in this guide can be extended to any HTTP middleware use-cases, including authentication & authorization, metrics, tracing, and web security. Further, and especially in mux’s case, logging is not the focus of the library, and writing your own logging “middleware” can be simpler than you expect. Many of the asks are for different things, since “what” to log, how much to log, and which library to use are not agreed-upon by all. I’ve had a number of requests to add a built-in logger to gorilla/mux and to extend what is logged by gorilla/handlers, and they’re hard to triage.
#Matt silverlock how to#
This is an opinionated guide on how to write extensible logging middleware for Go web services.
This judgmental language sets the stage for harassment of already-overworked maintainers.A Guide To Writing Logging Middleware in Go When industry leaders call log4j's vulnerability a "design failure", they're telling a story where the maintainers are unequivocally at fault for this vulnerability making it out into the world. Issues will appear that you couldn't possibly predict.Īdditionally, the "socio-" part of "sociotechnical systems" is where most of the complexity lies, which is a bit scary because it's often invisible! I'm using the log4j vulnerability a bit selfishly as a learning opportunity, because one of the things we do in SRE is turn incidents into insights (oof that's cheesy-I probably subconsciously stole it from some marketing copy).Īs we review the events in this incident and the state of open source maintenance, it's important to remember that any complex system will always have emergent failures.
I won't be able do it justice in this post. This is an overall tech industry culture thing that I want to talk about in depth at some point. Thankfully one of the maintainers replied to correct me: I originally thought the project was owned by Google Open Source because I saw them listed in the AUTHORS.md file. One package I recognize that doesn't seem to be owned by the CNCF or a large corporation is gorilla/mux. Here's the dependencies page for the OpenTelemetry Collector. Pick a package that looks interesting and find out how it's fundedĪlternatively, you can look at the dependencies for something external you run in production.Go to the Insights tab in your repo and navigate to the Dependencies page.Here's a fun exercise for folks with production code in GitHub: (Some of this section is copied from my twitter thread, but I've elaborated in some spots and edited for readability.) If you want to learn more about the vulnerability, read the Log4Shell article on Wikipedia.įor this post, I want to share some thoughts that came up while witnessing the industry-wide response to this security incident.įull disclosure: I didn't participate in the log4j incident response at my own company and very little of my work was impacted. It has been characterized by Tenable as "the single biggest, most critical vulnerability of the last decade". On December 9, 2021, a zero-day vulnerability involving arbitrary code execution in Log4j was published by the Alibaba Cloud Security Team and given the descriptor "Log4Shell". A few weeks ago, the ubiquitous Java logging library log4j was found to have a severe security vulnerability with no available patch.
0 kommentar(er)
