It looks like the last person that did this job deployed all the. I asked about it, and was told that they "provide better stack trace info in the logs" if they are left on the server.
Is there any truth to this? I've always left them behind, never deploying them to anywhere other than my local machine. For an internal development IIS server not production, not accessible to the outside world is there any reason to or not to deploy the.
Is there anything bad that could happen? How can debug symbols be used to compromise an application? I'm curious about the technical details, but what I'm really looking for is a practical way to evaluate the risk of including debug symbols for any given application and production environment.
Or to put it another way: what's the worst that could happen? So based on everyone's answers so far, it seems like this question can be simplified a bit for. NET applications. This bit from the John Robbins blog linked in Michael Maddox's answer kind of leaped out at me:.
NET PDB only contains two pieces of information, the source file names and their lines and the local variable names. All the other information is already in the. To me, this reiterates what others have been saying about Reflector, with the implication being that the real issue is access to the assemblies.
Once that's been determined, the only decision to make with respect to PDBs is whether or not you care about exposing file names, line numbers, and local variable names assuming that you're not showing stack traces to end users to begin with. Or have I oversimplified this too much? If you never expose a stack trace to your users and generally you shouldn't , there isn't really any additional security risk of deploying PDB files.
When a user visible stack trace happens, the user can see the full stack trace including your file name and file line numbers. This could give them some idea of how your app is architected which would potentially help them if hacking.
A bigger security threat is something like Reflector which when used on your DLLs will allow them to view your source code, with or without pdb files. Without a PDB I would have to resort to looking through dissasembly :. However, I suggest that you keep them and eventually index them to be able to analyze any dump files that clients, QA, and support people send you. This way, you will be able to have comprehensible stack traces and symbol information.
You need it to be able to get a stack trace. It can also contain information about mapping it to sources. Sometimes you might want to ship your release version, and still need to analyze a crash that occurs on the client side. For that, the PDB is needed. The PDB when compiling for release should in theory have less information than when compiling for debug. PDB files contain debug symbols that allow you to debug your binary even in release mode. You don't have to and probably shouldn't deploy them , as they might be used to reverse engineer your application.
Do keep them archived somewhere, though, because they come in very handy when you want to debug a crash dump. You don't need to distribute them. It'll help with debugging or I should say it will make debugging possible for sane people. As the majority of the people on this thread have said: no, you don't have to ship the PDB file s ; but really you should if you ever intend to release the code into the wild.
It's really about being able to support your application. Without the PDB, when you application crashes, all your user will be able to tell you is the raw memory address of where the application crashed; but with the PDB file you get an error you can actually do something about.
No, you don't ship the. They are generated because sometimes it's helpful to be able to debug a release build. Stack Overflow for Teams — Collaborate and share knowledge with a private group.
Create a free Team What is Teams? Collectives on Stack Overflow. Learn more. Do you have to deploy the. Ask Question.
0コメント