sbp commented on issue #339: URL: https://github.com/apache/tooling-trusted-releases/issues/339#issuecomment-3576316874
We are not migrating to t-strings for performance reasons. We are migrating to t-strings to enable more accurate scanning of secret values, to allow us to more easily perform different styles of logging simultaneously as described in PEP 750, to give us better control over the interpolation of variables from potentially untrusted sources to improve upon our mitigation, and to regain the ability to perform Sentry style grouping based on the template (though I would prefer to use enums or potentially introspection for that). Only documenting this was a priority. Implementing t-strings is of a low priority now that I have committed d444d20be776bc9ae5f99631630744f53a5b36e2 which mitigates template padding attacks at the interface level and makes all of our logging strings consistent. We don't even have an issue tracking this, only a TODO item in the source code. Implementing t-strings moreover depends on migrating to Python 3.14, which might not yet be possible. I am not presently interested in performance improvements for ATR except where they directly affect user experience. I expect not to have to use the `lambda:` mechanism in t-strings in any existing ATR code. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
