[Swan-dev] debug-logging

Andrew Cagney andrew.cagney at gmail.com
Wed Oct 17 15:04:59 UTC 2018

These are my fuzzy notes from a group discussion from last week about
debug-logging - that is dumping stuff we'd like to see when chasing a

- '--debug all' current debug-log functions are controlled by debug
bits, for instance a debug-log line, using the current simplest
interface, looks like:
        "this is debug-logged when either %s or %s is enabled",
        "XAUTH", "kernel");
  Unfortunately, over time, this model has broken down.  Instead
debuglog=all has proven to be the only workable option.  Consequently,
the flags should be dropped and the simplest interface further reduced
to just:
    DBGF("this is debug-logged when %s is enabled", "any debugging");
 (name is subject to ongoing discussion). The obvious follow-on (not
yet discussed) is that --debug all will need a re-name, --debug info
--debug flow --debug default

- '--debug private' - which is for end users and intentionally exposes
security information - is really a system-log parameter so should be
kicked out of --debug and moved somewhere else (presumably some other

- '--debug crypt' - which unintentionally exposes security information
and lots off it - should be retained and shouldn't be the default
  presumably, debug-log messages such as 'computing DH' don't fall
under 'crypt', but the actual calculations do

- '--debug too-much-information' - sometimes too much irrelevant
debug-log information is generated.  For instance, the hash table code
debug-logs all transitions in great detail - something not useful
except when debugging the hash table subsystem.  Rather then remove
that code, a finer-grained logging interface is also needed (and not
enabled by default).  For instance:
    DBG_FINE("this will probably never be debug-logged");
  (name is subject to ongoing discussion)

my comments:

- I subscribe to the dogma that all macros should be upper case

- unless we're pretty aggressive over what gets moved to 'fine', I
suspect we'll end up needing a way to debug-log less than the default
set or adding more fine-grained bits similar to 'crypt'
  for instance, the raw contents of every packet gets dumped on the
way in; should it?

- code generating a single log line such as:
    DBG(DBG_KERNEL|DBG_XAUTH, DBG_log("...", ...));
  and can be reduced to:
   DBGF("...", ...);


More information about the Swan-dev mailing list