At 10:59 AM 4/17/2003, Ben Laurie wrote:
>>
>> SVN should absolutely NOT grow a UUID generator. Don't even start thinking
>> along those lines. That is squarely in the realm of APR, as it can simply
>> defer to Windows's builtin function for that platform. I think some unix
>> platforms actually have it, but APR just rolls its own according to the
>> spec.
>
>Except Windows UUIDs are evil and should not be used (they allow an
>attacker to collate all UUIDs that belong to the same machine).
You must be thinking of Win95/NT. See the note in apr/misc/win32/rand.c
/* Note: this call doesn't actually require CoInitialize() first
*
* XXX: we should scramble the bytes or some such to eliminate the
* possible misuse/abuse since uuid is based on the NIC address, and
* is therefore not only a uniqifier, but an identity (which might not
* be appropriate in all cases.
*
* Note that Win2000, XP and later no longer suffer from this problem,
* a scrambling fix is only needed for (apr_os_level < APR_WIN_2000)
*/
The 'right fix' is probably to fall back on the Unix code for NT and 9x, leaving
the 'Windows' behavior for W2K/XP only.
