osfanbuff63
commented
2 years ago Do we still want to do this?
Open Marcono1234 opened 2 years ago
osfanbuff63
commented
2 years ago Do we still want to do this?
Marcono1234
commented
2 years ago Removing this would allow sharing JFR reports publicly on Mojira (though they are not shared very often). However, it looks like they contain the access token again (have created a Mojira issue for that), so this is blocked until that issue is fixed.
violine1101
commented
1 year ago JFR reports also contain full paths on Windows, which usually include the Windows user name (which can be considered private information)
osfanbuff63
commented
1 year ago With that, we could probably use some regex or something to replace the username with ******** or something - don't know how hard that would be though.
Marcono1234
commented
1 year ago With that, we could probably use some regex or something to replace the username with
********or something - don't know how hard that would be though.
JFR files seem to use a custom binary file format, so we probably cannot easily redact information in it.
However, I assume the number of Mojira issues where JFR files are attached is probably rather low, so maybe it is acceptable to just set these few issues to private? In that case, should we simply close this GitHub issue and keep the Arisa config as it is?
violine1101
commented
1 year ago However, I assume the number of Mojira issues where JFR files are attached is probably rather low, so maybe it is acceptable to just set these few issues to private?
Yes, the amount of jfr files attached to bug reports has been very low, so in general I feel like a more sophisticated solution is not worth it.
However, the current solution is still suboptimal. For example: JFR files were added to https://bugs.mojang.com/browse/MC-249136 by someone other than the reporter, and subsequently the bug report was set to private. This was confusing for the person attaching these bug reports, and also brings the potential for intentional sabotage.
So I'm currently thinking that this either should be a manual task instead of automated, or we should prevent attaching jfr files by non-reporters outright.
Marcono1234
commented
1 year ago This was confusing for the person attaching these bug reports, and also brings the potential for intentional sabotage. [...] or we should prevent attaching jfr files by non-reporters outright
That is similar to #663, and as mentioned there in the comments it might also affect attachments which cause a report to be resolved as Invalid (not sure if that is still the case though).
Currently JFR files are listed as sensitive files because they contained access tokens in the past: https://github.com/mojira/arisa-kt/blob/743fbd229bc5a127a3b1b69caaf7a56e0e4b4acb/config/config.yml#L194-L195
However, we were told internally (where #751 had been mentioned as well), that the latest Minecraft versions do not include the access token in the JFR files anymore. So in for example a month (to add some safety delay in case users still upload them from old versions) we should probably remove the JFR files from the sensitive file names list again.