v11 telemetry improvements discussion

Learn about how we're improving v11's telemetry so automatic errors reported can be fixed quickly

Hello everyone!

You may or may not know that we have changed how telemetry works in v11 compared to v10. For those who don't know, telemetry is the system / process where a Composr website automatically forwards errors encountered (and basic statistics) to the Composr homesite for review by the core developers. There are two settings you can control on your site whether or not it does this.

In version 10, telemetry was e-mail based. When your site encountered an error, it would send an email to a special address which was monitored by an automated tool. The automated tool would parse the sent message and appropriately organize it so the developers can be made aware of issues people are encountering. I cannot speak on the effectiveness of this system because it was entirely run by Chris Graham. As far as I know, it was not very effective especially with organization and communication back to the webmaster of the site which sent the error in the first place.

The system has been changed in version 11. E-mails are becoming a less reliable means to transmit telemetry information. As spam attacks grow, more webhosts are denying the ability to send e-mails, and more e-mail providers are getting strict on spam filtering. For this reason, v11 (as of alpha1) will now transmit telemetry information via web API calls. There are a couple challenges with doing this though:

• If Composr is in a dire state, using heavy libraries like CURL is just asking for more problems (and PHP does not have a reliable native HTTP solution).
  • Our solution: raw fsock requests will be used
• Some of the error messages may contain very sensitive information like full server file paths and POSTed data in web forms. This shouldn't be transmitted raw as an attacker could snatch it.
  • Our solution: v11 will require PHP's libsodium (which should be available by default as of PHP 7) and will ship with a public key. It will use the public key to encrypt what it sends to the Composr homesite. And the Composr homesite will use the public/private key pair to decrypt it. Only the core developers will have access to the private key. And a new public/private key pair will be rotated on every minor release of Composr for extra security.

Additional changes coming in alpha3: I've made some improvements to the Composr error log and the UI. Now, when your site sends an error to us, an additional line will be added to errorlog.php under the relevant error saying "TELEMETRY somenumber". The number is an ID referencing the report number. When you view the error log on the Admin Zone, the site will generate links you can click for errors that were relayed to the developers. And you can check the status of the relayed error at any time including notes left by the developers (which may include a link to a hotfix). Here is an example from an error my development site reported: https://composr.app/telemetry/4.htm . It is intentionally very vague as these pages are public. So we give no indication as to what the error was, who reported it, etc (it is assumed if you clicked on a link from the Admin Zone error log to view the page that you already know what error it is for). The "notes" field will contain any notes left by the developers, such as a link to a fix or whatnot.

Please let me know any thoughts you may have to this new system. So far, it has already helped me fix a few unreported v11 bugs.

Be aware this is not a replacement for reporting bugs to the tracker. And not all errors will get auto-reported. Always report things to the tracker if you believe it is a bug. That way the developers can better communicate with you on the issue, and you can be awarded points for your report (which may put you on the community stars page).

Attached are a couple screenshots.

Additional screenshots to show you what things look like in telemetry on the core developer's end (for transparency)

The above is a list of sites who opted in to sending basic statistics to Composr. I blurred out the ones who asked not to be featured (except for composr.app (the top one) and my own two sites which should say yes instead of no). So this is what statistics the developers have and receive.


The above is the screen for viewing a table of relayed error messages. I created a dummy error for demonstration.

The above is viewing a specific relayed error.

That's a lot more useful for sure, nice job.