asf-tooling commented on issue #214:
URL:
https://github.com/apache/tooling-trusted-releases/issues/214#issuecomment-4410428394
<!-- gofannon-issue-triage-bot v2 -->
**Automated triage** — analyzed at `main@2da7807a`
**Type:** `discussion` • **Classification:** `no_action` •
**Confidence:** `high` • ⚠️ **Stale — consider closing**
**Application domain(s):** `shared_infrastructure`, `cryptographic_keys`
### Summary
This issue requests tamper-resistant audit logging via cryptographic sealing
(merkle trees + Rekor). @sbp provided deep technical analysis noting that
QuickLog2 is optimized for kernel-level high-frequency logging, while ATR needs
low-frequency batched logging and a suitable scheme from the Schneier-Kelsey
family. @dave2wave (2026-02-18) explicitly stated 'this issue was worked in
other more recent issues. Please close it as duplicate of one of them.' No log
sealing code exists in the current codebase; the audit function writes plain
JSON.
### Where this lives in the code today
#### `atr/storage/__init__.py` — `audit` (lines 436-452)
_currently does this_
The current audit function writes plain JSON log entries with no
cryptographic sealing, chaining, or tamper-resistance - this is the code that
would need to be enhanced for log sealing.
```python
def audit(**kwargs: basic.JSON) -> None:
now =
datetime.datetime.now(datetime.UTC).isoformat(timespec="milliseconds")
now = now.replace("+00:00", "Z")
action = log.caller_name(depth=2)
request_user_id = log.get_context("user_id")
admin_user_id = log.get_context("admin_id")
kwargs = {"datetime": now, "action": action, **kwargs}
if request_user_id:
kwargs["request_user_id"] = request_user_id
if admin_user_id and (request_user_id != admin_user_id):
kwargs["admin_user_id"] = admin_user_id
msg = json.dumps(kwargs, allow_nan=False)
# The atr.log logger should give the same name
# But to be extra sure, we set it manually
logger = logging.getLogger("atr.storage.audit")
# TODO: Convert to async
logger.info(msg)
```
#### `atr/log.py` — `_auth_log` (lines 224-230)
_currently does this_
The authentication event logger also writes plain JSON without any
cryptographic sealing - another audit-critical log stream that would need
protection.
```python
def _auth_log(**kwargs):
now =
datetime.datetime.now(datetime.UTC).isoformat(timespec="milliseconds")
now = now.replace("+00:00", "Z")
kwargs = {"datetime": now, **kwargs}
msg = json.dumps(kwargs, allow_nan=False)
logger = logging.getLogger("atr.auth")
logger.info(msg)
```
#### `atr/storage/__init__.py` — `AccessAs.append_to_audit_log` (lines 45-47)
_currently does this_
All storage write operations use this method to record audit events, which
delegates to the unsealed audit() function.
```python
class AccessAs:
def append_to_audit_log(self, **kwargs: basic.JSON) -> None:
audit(**kwargs)
```
### Proposed approach
No action should be taken on this issue. @dave2wave explicitly stated on
2026-02-18 that this issue was worked in other more recent issues and should be
closed as a duplicate. The technical discussion between @sbp and @dave2wave
concluded that: (1) QuickLog2 is not the right fit for ATR's low-frequency
batched logging, (2) an existing conservative implementation of a
forward-resistant MAC scheme should be found, and (3) using Rekor as a
surrogate trusted verifier has unimplemented and non-obvious security
properties. The work has presumably been decomposed into newer, more specific
issues.
### Open questions
- Which 'more recent issues' does @dave2wave refer to that supersede this
one?
- Has any log sealing implementation been started in a different issue or
branch?
### Staleness assessment
_opened 276 days ago; last human comment 78 days ago._
The issue is 276 days old. The last human comment (78 days ago) from
@dave2wave explicitly requests closure as a duplicate, stating 'this issue was
worked in other more recent issues.' No log sealing code exists in the current
codebase, and the technical discussion concluded without a clear implementation
path. The maintainer's intent to close is unambiguous.
**Recommendation: consider closing this issue.** If the maintainer agrees,
the agent's assessment above provides the rationale to include in a closing
comment.
_The agent reviewed this issue and is not proposing patches in this run.
Review the existing-code citations and open questions above before deciding
next steps._
### Files examined
- `atr/log.py`
- `atr/models/sql.py`
- `atr/db/__init__.py`
- `atr/storage/__init__.py`
- `atr/storage/writers/keys.py`
- `atr/storage/writers/ssh.py`
- `atr/ssh.py`
- `atr/storage/outcome.py`
---
*Draft from a triage agent. A human reviewer should validate before merging
any change. The agent did not run tests or verify diffs apply.*
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
