New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 800838 link

Starred by 1 user

Issue metadata

Status: Assigned
Owner:
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug



Sign in to add a comment

Prevent recurrence of RLZ opt-out error

Project Member Reported by tnagel@chromium.org, Jan 10 2018

Issue description

Could you please implement measures to prevent a recurrence of issue 793162, e.g. by adding a test or by refactoring the code so that RLZ opt-out does not manifest as empty brand code?
 
Owner: ----
Status: Available (was: Assigned)
Better to ask that an owner of the omnibox or search engine to do that, or maybe the author of the CL that was reverted.

The root of the problem was that the RLZ value was being cached locally by the search engine code.  This was likely based on the assumption that the RLZ values never changes at runtime.  We now know this is an incorrect assumption for cros.  I'm not exactly sure how to refactor RLZ so that users cannot cache the RLZ value.  Any thoughts?

Looking at the bug attached to the reverted change, seems like this may have been meant as a windows and/or mac only change, that inadvertently was applied to cros.  You should follow up with the folks on that bug to determine the real issue they were trying to address and implement a different fix.

Comment 2 by tnagel@chromium.org, Jan 11 2018

Cc: -rpop@chromium.org borisv@chromium.org rogerta@chromium.org
Labels: -Pri-3 Pri-2
Owner: rpop@chromium.org
Assigning to rpop to find an eng owner.

I think it's not just error-prone but it's also plain wrong to indicate RLZ opt-out by setting an empty brand code in [1] because (via google_brand::GetBrand()) there are many non-RLZ consumers of brand code in metrics, updater and other places.

Thus instead overloading the brand code with RLZ opt-out, we should convey opt-out through a separate function call.

[1] https://cs.chromium.org/chromium/src/chrome/browser/chromeos/login/session/user_session_manager.cc?type=cs&q=UserSessionManager::InitRlzImpl&sq=package:chromium&l=1559
Let's say we change:

   std::string google_brand::GetBrand();

to something like:

   // Returns true if user is opted in to RLZ, false otherwise.  If opted in,
   // |brand| contains the brand code to use with RLZ and search endpoints.
   bool google_brand::GetBrand(std::string* brand);

This still does not prevent someone from caching the fact that RLZ is either opted in or not.  So does not prevent a recurrence of the error.  Callers need to know that they should never cache the values of this call.  Let me know if I'm missing something.

Just as a random thought, and with a lot of handwaving, wouldn't the safest measure against caching be the prevention of direct access?

void AppendRLZtoSearchURL(GURL* url_to_modify);
void AppendRLZtoInstallPing(URLRequest* request_to_modify);

Both access the string under the hood, but don't expose it.

Comment 5 by tnagel@chromium.org, Jan 11 2018

Status: Assigned (was: Available)
> Returns true if user is opted in to RLZ, false otherwise.  If opted in,
> |brand| contains the brand code to use with RLZ and search endpoints.

As I wrote above, there are consumers who need the brand code even when RLZ is disabled. To my mind it would be cleaner to separate the concerns:

// may be cached
std::string GetBrand();

// must not be cached
bool IsRlzEnabled();

And also IsRlzEnabled() must default to false and only flip to true after it has been determined that the opt-out file doesn't exist. (As we have seen the current behaviour, defaulting to true and flipping to false when the opt-out file exists, is error-prone.)

Comment 6 by rpop@chromium.org, Feb 2 2018

Cc: msramek@chromium.org rpop@chromium.org
Owner: ----
I'm not the right owner for this. Who owned the CL that got reverted? msramek, are you interested in driving this to closure?
Cc: -rogerta@chromium.org
Owner: rogerta@chromium.org
In my opinion this falls into the responsibility of the feature team (RLZ).

Comment 8 by tnagel@chromium.org, Feb 27 2018

Small correction to comment #5: IsRlzEnabled() may be cached as well, but only once it has been guaranteed that the correct value has been seeded (e.g. after trying to read the RLZ opt-out file).

Sign in to add a comment