Mark S. Miller wrote:
Don't ever use MAC addresses, dates, times, positions, etc, as sources of uniqueness.
uuidgen implementations have used MAC addresses in the past, which I believe led to a public collision.
What a collision resistant string? Use 128 bits of entropy. You'll get an accidental collision of these with the same rarity as you will for two unique symbols because of an undetected memory error.
Wait, what? An "undetected memory error" meaning a GC bug where a symbol is freed before it is dead and reincarnated as another symbol? That is rare enough that I don't believe you (or anyone) can say colliisions are as rare. We are arguing quality-of-implementation here.
Gathering entropy enough to make a UUID is work. A crypto module's RBG should be up to it. Browsers have those, but we haven't yet required any such thing in ECMA-262, and I expect some implementations will be crypto-module-free and cheese out on the quality (where they wouldn't ship unpatched memory safety bugs!). This is worth a discussion: do we require an RBG with the right quality in normative words in ES6?
/be _______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
