Brendan Eich wrote:
Gathering entropy enough to make a UUID is work. A crypto module's
RBG should be up to it. Browsers have those, but we haven't yet
required any such thing in ECMA-262, and I expect some
implementations will be crypto-module-free and cheese out on the
quality (where they wouldn't ship unpatched memory safety bugs!).
This is worth a discussion: do we require an RBG with the right
quality in normative words in ES6?
A good point. We should indeed discuss the costs of adding this
requirement.
Ok. I think it's going to be a problem for "tiny" embeddings of
ECMA-262 implementations (Japanese smart TVs? Maybe these are
"legacy", the "compact profile", even). We need to cast a wide net.
And the meta-hazard here is a race to the bottom. If systems interop and
some generate worse UUIDs than others, a corollary of Gresham's Law will
probably kick in.
/be
_______________________________________________
es-discuss mailing list
[email protected]
https://mail.mozilla.org/listinfo/es-discuss
