Logging opt-in issues.

[Pscheidl]

Logging is now opt-in via a feature named log. This was done to resolve the issue of secrets potentially being log when logging is set to debug/trace. In most cases, this crate will now be safe to use.

However, there's still room for malicious intents or leaking secrets simply by mistake. It's due to the way cargo handles optional features.

If any of the dependencies enables an optional feature, the feature is enabled everywhere.

E.g. if a lib/app depends on serde-env directly, and also on yet another crate with serde-env as a transitive dependency with log feature enabled, logging will be enabled for the app as well.

App # inherits enabled logging from `some-other-crate`
- serde-env
- some-other-crate
  --serde-env(features=["log"]) # logging enabled here

Opting out doesn't seem to solve the issue, as per Cargo book

Note: This may not ensure the default features are disabled. If another dependency includes flate2 without specifying default-features = false, then the default features will be enabled. See feature unification below for more details.

If one crate opts in, then all others do. And it is difficult to verify this every time a dependency is updated or added.

I can think of one solution: remove logging for good, and only add it for debugging if necessary during development. Replace debug/trace logging with more tests if required.

Is there any other way ? Am I missing something ? @Xuanwo

[Xuanwo]

Maybe we can mark log as a cfg instead of feature.

[Pscheidl]

Do you mean test cfg -> conditionally compiled in test mode only ? If yes, then I'd do the PR.

[Pscheidl]

This has been resolved in #44 -> closing.