Comments (7)
Some background is here: #26.
It is true that MD5 should not be used (it is provided only for completeness), but there's reason to believe that SHA1 will be deprecated as well one day in favor of a more secure hash function.
from uuid.
Let's elaborate then. What can code written today use?
name_generator_md5
name_generator_sha1
name_generator
basic_name_generator
1 is wrong. Code should never use MD5.
2 is wrong, as it hardcodes the use of SHA1, which may be deprecated in the future.
3 is correct. It will automatically switch to the new alternative when it's available.
4 is either 1, 2, or a violation of the spec.
So, we've managed to deprecate the only correct choice, and we've added a few incorrect choices. This makes client code worse.
It's name_generator_md5
and name_generator_sha1
that should be "deprecated", not name_generator
. Except of course those didn't exist before, so deprecation makes no sense for them either.
from uuid.
Makes sense. Unless someone wants to have a predictable conversion from textual names to UUIDs. name_generator
is probably good as the default, which is suitable for general use. More specific names are available for when they are needed. basic_name_generator
is just a building block.
from uuid.
The MD5 generator was added to complete the implementation relative to the RFC. I agree it is unlikely to be used. It is also not loaded into a compilation unit unless explicitly asked for by name.
The problem comes when SHA1 is deprecated in favor of something else. If someone is using name_generator
and then the next version of boost changes the definition of name_generator
to use a different hashing function, anything hashed before with name_generator
is invalidated and this could break any logic based on data hashed by a previous version of boost.
This is why I split them out, and specifically want folks to switch from using name_generator
to name_generator_sha1
so that when name_generator_whatever_is_next
comes out, their code won't break. And when that whatever comes next is out, name_generator
will be removed for safety.
from uuid.
I agree that people who require predictable UUID generation would want to tie themselves to SHA1 for eternity. People who do not, will not, and having their code change automatically to the better alternative will be a benefit to them, not a downside.
Yes, using hardcoded SHA1 will not "break", but it will also not fix itself when a better alternative becomes available. So it's not clear what specific safety does not using name_generator
provide. It forces you to make your code perpetually unsafe.
from uuid.
The assumption is that if one is using a name_generator
they need it to be stable across time. Therefore they should start with deciding which hash algorithm they want to use up front.
What we could do is add name_generator_latest
, if someone wants to automatically track changes to the current hashing algorithm, but I need them to do it consciously, which is why I want name_generator
to retire because it would not be safe to change the definition to anything other than sha1 as it could break all existing consumers.
from uuid.
Adding name_generator_latest
seems a good compromise. With it, all clients will have a non-deprecated option to which they can switch depending on their use case.
from uuid.
Related Issues (20)
- Can generator is shared by multiple threads without locks? HOT 2
- Linking to bcrypt creates problems (i.e. for CMake users) HOT 9
- CI: add cmake build jobs (use boost-ci)
- CI: add bigendian test (and coverage report)
- CI: Add coverity scan integration
- Consider removing dependency on Boost.TTI HOT 1
- x86 optimized operators are slower than generic version HOT 2
- Align `uuid` to 16 bytes HOT 7
- time_generator - any opinions about adding it? HOT 12
- #pragma message doesn't show correctly when enabled BOOST_UUID_RANDOM_PROVIDER_SHOW . GCC/Clang HOT 1
- Consider separating the portable header-only random implementation to another package or library HOT 1
- threeway comparision support HOT 4
- basic_random_generator not safe in case a = a HOT 1
- Improve messages of string_generator HOT 1
- [feature request] Please consider supporting UUID v6 v7 v8 as decribed in RFC 9562 HOT 2
- uuid no longer packable with gcc HOT 1
- uuid no longer constexpr contructable HOT 5
- Sign conversion error in uuid_clock.hpp
- uuid cannot initialize from list on gcc with boost 1.86 HOT 2
- boostorg/uuid@0f84313 - broke `boost::compute` HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from uuid.