feat_: add pre login log

[qfrank]

Change Summary:

• Move SetupLogSettings to the end of the call chain (e.g. createAccountAndLogin / loginAccount / restoreAccountAndLogin) to ensure that logs before a successful login are written to pre_login.log
• The pre login log currently does not support disabling (next PR will support this), the log level is the same as geth.log, but if the frontend does not set the log level, the default log level is ERROR, to ensure that pre_login.log always exists, so that in case the user cannot log in, we can obtain potentially useful error information
• After a successful login, logs are no longer written to pre_login.log, but are redirected to geth.log
• After logging out, logs are no longer written to geth.log, but are redirected to pre_login.log

related: status-im/status-mobile#21501

[status-im-auto]

Jenkins Builds

Click to see older builds (96)

❔	Commit	#️⃣	Finished (UTC)	Duration	Platform	Result
✖️	8038f84	#1	2025-01-26 09:46:42	~4 min	tests	📄log
✔️	8038f84	#1	2025-01-26 09:48:03	~5 min	macos	📦zip
✔️	8038f84	#1	2025-01-26 09:48:27	~6 min	windows	📦zip
✔️	8038f84	#1	2025-01-26 09:48:29	~6 min	macos	📦zip
✔️	8038f84	#1	2025-01-26 09:48:40	~6 min	android	📦aar
✔️	8038f84	#1	2025-01-26 09:48:45	~6 min	ios	📦zip
✔️	8038f84	#1	2025-01-26 09:48:50	~6 min	linux	📦zip
✖️	8038f84	#1	2025-01-26 09:49:11	~6 min	tests-rpc	📄log
✔️	61298b1	#2	2025-01-26 10:07:34	~3 min	windows	📦zip
✔️	61298b1	#2	2025-01-26 10:08:14	~4 min	macos	📦zip
✔️	61298b1	#2	2025-01-26 10:08:30	~4 min	linux	📦zip
✔️	61298b1	#2	2025-01-26 10:08:42	~5 min	macos	📦zip
✔️	61298b1	#2	2025-01-26 10:09:05	~5 min	ios	📦zip
✔️	61298b1	#2	2025-01-26 10:09:51	~6 min	android	📦aar
✖️	61298b1	#2	2025-01-26 10:10:41	~7 min	tests-rpc	📄log
✖️	61298b1	#2	2025-01-26 10:34:14	~30 min	tests	📄log
✔️	ce0993d	#3	2025-01-27 07:03:25	~4 min	windows	📦zip
✔️	ce0993d	#3	2025-01-27 07:04:20	~5 min	macos	📦zip
✔️	ce0993d	#3	2025-01-27 07:04:30	~5 min	macos	📦zip
✔️	ce0993d	#3	2025-01-27 07:04:34	~5 min	ios	📦zip
✔️	ce0993d	#3	2025-01-27 07:04:58	~5 min	linux	📦zip
✖️	ce0993d	#3	2025-01-27 07:05:12	~6 min	tests-rpc	📄log
✔️	ce0993d	#3	2025-01-27 07:05:37	~6 min	android	📦aar
✔️	ce0993d	#3	2025-01-27 07:29:44	~30 min	tests	📄log
✔️	3d90b00	#4	2025-01-27 07:07:32	~4 min	windows	📦zip
✔️	3d90b00	#4	2025-01-27 07:09:08	~4 min	macos	📦zip
✔️	3d90b00	#4	2025-01-27 07:09:35	~5 min	macos	📦zip
✔️	3d90b00	#4	2025-01-27 07:10:09	~5 min	ios	📦zip
✔️	3d90b00	#4	2025-01-27 07:10:33	~5 min	linux	📦zip
✖️	3d90b00	#4	2025-01-27 07:11:22	~6 min	tests-rpc	📄log
✔️	3d90b00	#4	2025-01-27 07:11:52	~6 min	android	📦aar
✔️	3d90b00	#4	2025-01-27 08:00:01	~30 min	tests	📄log
✔️	efa7b7a	#5	2025-02-05 04:50:49	~3 min	macos	📦zip
✔️	efa7b7a	#5	2025-02-05 04:51:00	~4 min	ios	📦zip
✖️	efa7b7a	#5	2025-02-05 04:52:04	~5 min	tests-rpc	📄log
✔️	efa7b7a	#5	2025-02-05 04:52:04	~5 min	macos	📦zip
✔️	efa7b7a	#5	2025-02-05 04:52:13	~5 min	windows	📦zip
✔️	efa7b7a	#5	2025-02-05 04:52:28	~5 min	linux	📦zip
✔️	efa7b7a	#5	2025-02-05 04:53:05	~6 min	android	📦aar
✔️	efa7b7a	#5	2025-02-05 05:17:49	~30 min	tests	📄log
✔️	4d36326	#6	2025-02-05 05:41:27	~4 min	ios	📦zip
✔️	4d36326	#6	2025-02-05 05:41:33	~3 min	macos	📦zip
✔️	4d36326	#6	2025-02-05 05:41:35	~4 min	windows	📦zip
✔️	4d36326	#6	2025-02-05 05:42:34	~5 min	macos	📦zip
✖️	4d36326	#6	2025-02-05 05:42:37	~5 min	tests-rpc	📄log
✔️	4d36326	#6	2025-02-05 05:43:10	~5 min	linux	📦zip
✔️	4d36326	#6	2025-02-05 05:43:43	~6 min	android	📦aar
✔️	4d36326	#6	2025-02-05 06:06:30	~28 min	tests	📄log
✔️	34fb976	#7	2025-02-05 06:19:23	~3 min	ios	📦zip
✔️	34fb976	#7	2025-02-05 06:19:26	~3 min	macos	📦zip
✔️	34fb976	#7	2025-02-05 06:20:39	~5 min	macos	📦zip
✔️	34fb976	#7	2025-02-05 06:20:49	~5 min	linux	📦zip
✔️	34fb976	#7	2025-02-05 06:21:01	~5 min	windows	📦zip
✔️	34fb976	#7	2025-02-05 06:21:01	~5 min	android	📦aar
✔️	34fb976	#7	2025-02-05 06:21:10	~5 min	tests-rpc	📄log
✔️	34fb976	#7	2025-02-05 06:46:52	~31 min	tests	📄log
✔️	57ef643	#8	2025-02-05 08:06:47	~3 min	macos	📦zip
✔️	57ef643	#8	2025-02-05 08:07:02	~3 min	windows	📦zip
✔️	57ef643	#8	2025-02-05 08:07:11	~4 min	ios	📦zip
✔️	57ef643	#8	2025-02-05 08:08:13	~5 min	macos	📦zip
✔️	57ef643	#8	2025-02-05 08:08:22	~5 min	tests-rpc	📄log
✔️	57ef643	#8	2025-02-05 08:08:23	~5 min	linux	📦zip
✔️	57ef643	#8	2025-02-05 08:09:00	~6 min	android	📦aar
✔️	57ef643	#8	2025-02-05 08:34:11	~31 min	tests	📄log
✔️	57ef643	#10	2025-02-07 10:25:35	~3 min	windows	📦zip
✔️	57ef643	#10	2025-02-07 10:25:43	~4 min	macos	📦zip
✔️	57ef643	#10	2025-02-07 10:26:50	~5 min	linux	📦zip
✔️	57ef643	#10	2025-02-07 10:26:53	~5 min	tests-rpc	📄log
✔️	57ef643	#10	2025-02-07 10:27:01	~5 min	ios	📦zip
✔️	57ef643	#10	2025-02-07 10:27:32	~5 min	macos	📦zip
✔️	57ef643	#10	2025-02-07 10:28:22	~6 min	android	📦aar
✔️	57ef643	#10	2025-02-07 10:52:39	~31 min	tests	📄log
✔️	98e4472	#9	2025-02-07 09:39:32	~3 min	macos	📦zip
✔️	98e4472	#9	2025-02-07 09:39:40	~4 min	ios	📦zip
✔️	98e4472	#9	2025-02-07 09:39:50	~4 min	windows	📦zip
✔️	98e4472	#9	2025-02-07 09:40:30	~4 min	linux	📦zip
✔️	98e4472	#9	2025-02-07 09:40:45	~5 min	macos	📦zip
✔️	98e4472	#9	2025-02-07 09:40:51	~5 min	tests-rpc	📄log
✔️	98e4472	#9	2025-02-07 09:41:49	~6 min	android	📦aar
✔️	98e4472	#9	2025-02-07 10:05:16	~29 min	tests	📄log
✖️	f4bf73f	#11	2025-02-17 11:04:53	~1 min	tests-rpc	📄log
✔️	f4bf73f	#11	2025-02-17 11:07:02	~4 min	ios	📦zip
✔️	f4bf73f	#11	2025-02-17 11:07:02	~4 min	macos	📦zip
✔️	f4bf73f	#11	2025-02-17 11:08:07	~5 min	macos	📦zip
✔️	f4bf73f	#11	2025-02-17 11:08:22	~5 min	windows	📦zip
✔️	f4bf73f	#11	2025-02-17 11:08:35	~5 min	linux	📦zip
✔️	f4bf73f	#11	2025-02-17 11:09:03	~6 min	android	📦aar
✔️	f4bf73f	#11	2025-02-17 11:34:20	~31 min	tests	📄log
✔️	7ae58a4	#12	2025-02-18 05:55:56	~2 min	ios	📦zip
✔️	7ae58a4	#12	2025-02-18 05:57:09	~3 min	macos	📦zip
✔️	7ae58a4	#12	2025-02-18 05:58:07	~4 min	android	📦aar
✔️	7ae58a4	#12	2025-02-18 05:58:26	~5 min	macos	📦zip
✔️	7ae58a4	#12	2025-02-18 05:58:30	~5 min	windows	📦zip
✔️	7ae58a4	#12	2025-02-18 05:59:04	~5 min	linux	📦zip
✔️	7ae58a4	#12	2025-02-18 06:05:18	~12 min	tests-rpc	📄log
✔️	7ae58a4	#12	2025-02-18 06:24:46	~31 min	tests	📄log

❔	Commit	#️⃣	Finished (UTC)	Duration	Platform	Result
✔️	2689308	#13	2025-02-20 09:12:59	~2 min	ios	📦zip
✔️	2689308	#13	2025-02-20 09:14:05	~4 min	android	📦aar
✔️	2689308	#13	2025-02-20 09:14:06	~4 min	macos	📦zip
✔️	2689308	#13	2025-02-20 09:15:05	~4 min	windows	📦zip
✔️	2689308	#13	2025-02-20 09:15:28	~5 min	linux	📦zip
✔️	2689308	#13	2025-02-20 09:15:50	~5 min	macos	📦zip
✔️	2689308	#13	2025-02-20 09:22:30	~12 min	tests-rpc	📄log
✖️	2689308	#13	2025-02-20 09:42:07	~32 min	tests	📄log
✔️	1ddaa93	#14	2025-02-21 02:05:14	~2 min	ios	📦zip
✔️	1ddaa93	#14	2025-02-21 02:05:22	~3 min	android	📦aar
✔️	1ddaa93	#14	2025-02-21 02:06:42	~4 min	macos	📦zip
✔️	1ddaa93	#14	2025-02-21 02:06:55	~4 min	windows	📦zip
✔️	1ddaa93	#14	2025-02-21 02:07:42	~5 min	macos	📦zip
✔️	1ddaa93	#14	2025-02-21 02:09:27	~7 min	linux	📦zip
✔️	1ddaa93	#14	2025-02-21 02:14:26	~11 min	tests-rpc	📄log
✔️	1ddaa93	#14	2025-02-21 02:35:08	~32 min	tests	📄log

[codecov]

Codecov Report

Attention: Patch coverage is 43.58974% with 22 lines in your changes missing coverage. Please review.

Project coverage is 59.65%. Comparing base (873e93a) to head (1ddaa93).
Report is 1 commits behind head on develop.

Files with missing lines	Patch %	Lines
api/geth_backend.go	33.33%	7 Missing and 3 partials ⚠️
mobile/status.go	0.00%	8 Missing ⚠️
params/config.go	76.92%	2 Missing and 1 partial ⚠️
cmd/utils/utils.go	0.00%	1 Missing ⚠️

❌ Your patch status has failed because the patch coverage (43.58%) is below the target coverage (50.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files

@@             Coverage Diff              @@
##           develop    #6285       +/-   ##
============================================
+ Coverage     0.45%   59.65%   +59.19%     
============================================
  Files          824      865       +41     
  Lines       109683   113135     +3452     
============================================
+ Hits           497    67488    +66991     
+ Misses      109129    37786    -71343     
- Partials        57     7861     +7804     

Flag	Coverage Δ
functional	0.45% <5.26%> (+<0.01%)	⬆️
unit	59.64% <43.58%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
logutils/override.go	87.87% <100.00%> (+50.37%)	⬆️
cmd/utils/utils.go	0.00% <0.00%> (ø)
params/config.go	66.66% <76.92%> (+66.66%)	⬆️
mobile/status.go	3.52% <0.00%> (+2.35%)	⬆️
api/geth_backend.go	54.71% <33.33%> (+52.05%)	⬆️

... and 766 files with indirect coverage changes

[osmaczko]

Looks fine. However, there is a failing RPC test that needs to be fixed.

[ilmotta]

@qfrank, code LGTM. I'm just missing some evidence that the default ERROR level during pre-login is not leaking any private information. Could you please verify the log Error calls are not leaking private data? If you share with me the list of Error call sites during pre login I can also double-check (as a reviewer).

[qfrank]

Looks fine. However, there is a failing RPC test that needs to be fixed.

RPC test fixed

[qfrank]

@qfrank, code LGTM. I'm just missing some evidence that the default ERROR level during pre-login is not leaking any private information. Could you please verify the log Error calls are not leaking private data? If you share with me the list of Error call sites during pre login I can also double-check (as a reviewer).

I tried use regex \.Error\(".+, zap.+, zap.+\) to find all the code related to error level log, the number of search results is not very large (133 results - 49 files) search-result.txt.zip
I tried update some of log code with this PR

I have retained the following error log because I think we can keep it, if you have a different opinion, feel free to express it.

logutils.ZapLogger().Error("Error while reporting error response", zap.Stringer("peerID", peerID), zap.Error(err))
logutils.ZapLogger().Error("can't unmarshal node", zap.Binary("value", value), zap.Error(err))
logutils.ZapLogger().Error("error registering topic", zap.String("topic", string(t)), zap.Error(err))
logutils.ZapLogger().Error("error searching foro", zap.String("topic", string(t.topic)), zap.Error(err))
logutils.ZapLogger().Error("failed to process found node", zap.Stringer("node", node), zap.Error(err))
m.logger.Error("failed to retry sending message", zap.String("hash", envelope.envelopeHashID.String()), zap.Int("attempt", envelope.attempts+1), zap.Error(err))
logutils.ZapLogger().Error("unable to update storage", zap.Stringer("peer", ev.Peer), zap.Error(err))
logutils.ZapLogger().Error("error adding value to filter", zap.Stringer("hash", hash), zap.Error(err))
logutils.ZapLogger().Error("error adding value to filter", zap.Any("hash", hash), zap.Error(err))
logutils.ZapLogger().Error("Error fetch logs", zap.Any("criteria", f.crit), zap.Error(err))
logutils.ZapLogger().Error("Error adding logs", zap.Any("logs", logs), zap.Error(err))
logutils.ZapLogger().Error("Error marshaling", zap.NamedError("response", err), zap.NamedError("result", resErr))
logutils.ZapLogger().Error("Error marshaling", zap.NamedError("response", err), zap.NamedError("result", resErr))
c.logger.Error("Error sending telemetry data", zap.Int("statusCode", res.StatusCode), zap.Any("responseBody", responseBody))
logger.Error("Failed to get transaction", zap.Stringer("hash", hashes[i]), zap.Error(err))
tm.logger.Error("Failed to update trackedTx status", zap.Stringer("hash", br.hash), zap.Error(err))
tm.logger.Error("Failed to retrieve auto_delete for pending transaction", zap.Stringer("hash", br.hash), zap.Error(err))
tm.logger.Error("Failed to delete pending transaction", zap.Stringer("hash", br.hash), zap.Error(err))
tm.logger.Error("Failed to update pending transaction status", zap.Stringer("hash", br.hash), zap.Error(err))
tm.logger.Error("Failed to get updated rows", zap.Stringer("hash", br.hash), zap.Error(err))
tm.logger.Error("Failed to marshal pending transaction status", zap.Stringer("hash", change.hash), zap.Error(err))
tm.logger.Error("Failed to marshal PendingTxUpdatePayload", zap.Stringer("hash", payload.Hash), zap.Error(err))
logutils.ZapLogger().Error("failed to add msg into the filters store", zap.Stringer("hash", msg.EnvelopeHash), zap.Error(err))
w.logger.Error("could not obtain dns discovery peers for ClusterConfig.WakuNodes", zap.Error(err), zap.String("dnsDiscURL", addrString))

Next, I will check whether there is any personal information included when constructing the error object in our code. @ilmotta @osmaczko

[qfrank]

Next, I will check whether there is any personal information included when constructing the error object in our code.

It's also done with this PR

[osmaczko]

@qfrank, code LGTM. I'm just missing some evidence that the default ERROR level during pre-login is not leaking any private information. Could you please verify the log Error calls are not leaking private data? If you share with me the list of Error call sites during pre login I can also double-check (as a reviewer).

This might be overly cautious, as pre-login, by definition, should not be capable of leaking private data since the user database remains encrypted 🤔

[qfrank]

@qfrank, code LGTM. I'm just missing some evidence that the default ERROR level during pre-login is not leaking any private information. Could you please verify the log Error calls are not leaking private data? If you share with me the list of Error call sites during pre login I can also double-check (as a reviewer).

This might be overly cautious, as pre-login, by definition, should not be capable of leaking private data since the user database remains encrypted 🤔

The definition of pre-login is actually not clear enough. When I implemented it, I did it this way: only after a successful login will the log call statusBackend.SetupLogSettings() switch to geth.log, for example, the call to statusBackend.SetupLogSettings() occurs after the successful call of statusBackend.LoginAccount. In fact, statusBackend.LoginAccount has already done a lot of initialization actions internally, including password authentication.

[osmaczko]

@qfrank, code LGTM. I'm just missing some evidence that the default ERROR level during pre-login is not leaking any private information. Could you please verify the log Error calls are not leaking private data? If you share with me the list of Error call sites during pre login I can also double-check (as a reviewer).

This might be overly cautious, as pre-login, by definition, should not be capable of leaking private data since the user database remains encrypted 🤔

The definition of pre-login is actually not clear enough. When I implemented it, I did it this way: only after a successful login will the log call statusBackend.SetupLogSettings() switch to geth.log, for example, the call to statusBackend.SetupLogSettings() occurs after the successful call of statusBackend.LoginAccount. In fact, statusBackend.LoginAccount has already done a lot of initialization actions internally, including password authentication.

I see. I am wondering if there is a way to immediately hook into database decryption to modify the logging settings, as post-login would be too late, as you mentioned. I believe this is still less work than obfuscating all logs. It is a never-ending battle—new logs will inevitably appear, sooner or later, breaking the assumption that no private or sensitive data is present in the logs.

[qfrank]

I am wondering if there is a way to immediately hook into database decryption to modify the logging settings

if we do it like this, the error log between successful decryption and fail loginAccount will go into geth.log rather than pre_login.log , this should not be our expectation ? 🤔

It is a never-ending battle—new logs will inevitably appear, sooner or later, breaking the assumption that no private or sensitive data is present in the logs.

True, encrypting logs sounds good, but we can merge this one and PR as first step? @osmaczko

[ilmotta]

I see. I am wondering if there is a way to immediately hook into database decryption to modify the logging settings, as post-login would be too late, as you mentioned. I believe this is still less work than obfuscating all logs. It is a never-ending battle—new logs will inevitably appear, sooner or later, breaking the assumption that no private or sensitive data is present in the logs.

@osmaczko I would say this is a good problem to have. We should be able to draw the line between what's considered private data in logs when PRs are approved. I still think we should be using the type system to protect certain data from ever being printed, as is supported by Go and zap (although that's a large effort in some cases).

True, encrypting logs sounds good

@qfrank Encrypting logs seems like an unnecessary overhead in mobile devices because other apps cannot access the app's data folder (ignoring rooted phones). I'm assuming we can write all log files to the app's protected data directory, but for some reason we write the geth.log and requests.log to the Downloads folder in Android. As you and I talked briefly about the Downloads folder @qfrank, seems worth exploring why we must write there. This seems to be a mild security concern to me.

For desktop apps, the practice of encrypting logs is unusual. Usually, the user controls encryption at rest using other mechanisms, like telling the application to write logs to a special folder, but the application itself is oblivious to this. There are a myriad of tools to control access and protect directories/files. Maybe I'm completely wrong here, in which case, I'd be happy to learn from other desktop apps that do differently.

Additionally, encrypting logs will only help with data at rest, but the original motivation for this PR and logging improvements in general is to allow logs to be more safely shared by CCs and users facing dreadful bugs, or at least parts of such logs.

[osmaczko]

I am wondering if there is a way to immediately hook into database decryption to modify the logging settings

if we do it like this, the error log between successful decryption and fail loginAccount will go into geth.log rather than pre_login.log , this should not be our expectation ? 🤔

Right, I didn't think of it. Still better to print post decryption login errors to geth.log than post login data to pre-login.log 😅

It is a never-ending battle—new logs will inevitably appear, sooner or later, breaking the assumption that no private or sensitive data is present in the logs.

True, encrypting logs sounds good, but we can merge this one and PR as first step? @osmaczko

This PR looks fine to me - already approved! 👍 PS. I am not sure about encryption anymore, @ilmotta raised a good points.

[osmaczko]

Thanks @ilmotta for input!

@osmaczko I would say this is a good problem to have. We should be able to draw the line between what's considered private data in logs when PRs are approved. I still think we should be using the type system to protect certain data from ever being printed, as is supported by Go and zap (although that's a large effort in some cases).

I agree, and I see two aspects to consider:

1. Data that nobody wants to leak, even under confidentiality constraints, such as private keys, message content, etc.
2. Data that some users prefer not to share, such as the communities and chats they belong to, message IDs they have received, transactions they have made, etc.

While the first category is obvious and should never be logged, even at the trace/debug level, the second is more nuanced. I believe it should only be logged in debug mode. However, this means that logs shared by users who did not have debug enabled will likely be useless.

True, encrypting logs sounds good

@qfrank Encrypting logs seems like an unnecessary overhead in mobile devices because other apps cannot access the app's data folder (ignoring rooted phones). I'm assuming we can write all log files to the app's protected data directory, but for some reason we write the geth.log and requests.log to the Downloads folder in Android. As you and I talked briefly about the Downloads folder @qfrank, seems worth exploring why we must write there. This seems to be a mild security concern to me.

Sounds reasonable, but following the same logic, why do we use encryption for the database on mobile?

For desktop apps, the practice of encrypting logs is unusual. Usually, the user controls encryption at rest using other mechanisms, like telling the application to write logs to a special folder, but the application itself is oblivious to this. There are a myriad of tools to control access and protect directories/files. Maybe I'm completely wrong here, in which case, I'd be happy to learn from other desktop apps that do differently.

Additionally, encrypting logs will only help with data at rest, but the original motivation for this PR and logging improvements in general is to allow logs to be more safely shared by CCs and users facing dreadful bugs, or at least parts of such logs.

That sounds logical indeed. The question should be: are there many desktop apps that require users to authenticate each time they want to use them?

My point is that if the database is encrypted for a reason, and we cannot guarantee that no private data is leaked in logs (which we cannot), then the logs should probably be encrypted as well.

[ilmotta]

Thanks @osmaczko. Interesting follow-up points.

While the first category is obvious and should never be logged, even at the trace/debug level, the second is more nuanced.

Fully agree with you. The second category is a more difficult one.

Sounds reasonable, but following the same logic, why do we use encryption for the database on mobile?

This is a good good question. I actually don't know the original reasons that led to the encryption of the database in mobile.

I would imagine it was done to be part of a defense in depth strategy, but I don't know what were the threat models. Mobile devices can be rooted and there's benefit in having data encrypted at rest. Or another reason may be that there are way too many incarnations of Android, and in some of them the OS may be less strict or is outdated (because the manufacturer doesn't provide OS upgrades anymore due to planned obsolescence) and could be more easily exploited by malicious apps.

@Samyoul do you have context on this one?

My point is that if the database is encrypted for a reason, and we cannot guarantee that no private data is leaked in logs (which we cannot), then the logs should probably be encrypted as well.

There are layers to this and I don't have a strong opinion. We could encrypt logs and there are upsides in doing that, although seems somewhat unusual.

• The logs are less critical than the DB, and thus, could have different security constraints.

• Logs I'd say should be disabled by default or only enabled at the error level, both in mobile or desktop environments. This default choice can also reduce wear in disks. At the error level, I think we are capable of guaranteeing private data is not leaking. Although we cannot prove, it seems doable and sustainable with a straightforward guideline in PR reviews.

• As many of us pointed out, we need to agree on what we consider private data; at which levels data can be logged, or if it's acceptable to log at X level but partially redacted.

• Only the user should be allowed to use lower levels, like info. They should understand the implications of changing this setting and the risks to share.

Status should never ask for full log files from users and we agreed on that with the Legal team. We offer a feature to share the logs, but this should be done only by those who understand what they are doing, usually CCs, and ideally, using test accounts for the single purpose of reproducibility. Further, we could improve the UX to explain to users the implications associated with different log levels or point out to an external documentation.

However, this means that logs shared by users who did not have debug enabled will likely be useless.

Yes, they may be useless at the error level. Besides, we are in control, we can better wrap errors in status-go and provide more meaningful logs, use unique error codes, and so on. I think we could further improve crash reports. For instance, in the mobile app, when the user shakes the device some data is captured from the runtime (e.g. a small and safe part of the UI state), apart from the logs and zip them altogether. git provides a bug report command, and many tools have something like that.

In some cases, as I've seen in tickets online, the user may want to share parts of logs if the bug is severe and the UI provides no clues. In many occasions in the mobile app, I've noticed that the UI didn't show something meaningful to the user after an error, which forced them to resort to logs. Proper UI feedback is yet another way to help users not need to change log levels and share logs.

The question should be: are there many desktop apps that require users to authenticate each time they want to use them?

Not sure if I got the question right. I'm just one data point, but I think in desktop apps in GNU/Linux, we have such cases. For example, Spotify leaks some private data in ~/.cache and it requires authentication on every initialization.