[issue22807] uuid.uuid1() should use uuid_generate_time_safe() if available
Barry A. Warsaw
report at bugs.python.org
Mon Feb 20 10:14:00 EST 2017
Barry A. Warsaw added the comment:
On Feb 20, 2017, at 02:21 PM, STINNER Victor wrote:
>What am I supposed to do with an UUID with safe=False? Should I loop on the
>function until I get safe==True?
It would be an application dependent response. It might be that you would
check some other attributes of your platform (e.g. are the OS packages that
should be installed to give you safe UUIDs?). Or your application may not
care that much, or your application may refuse to continue to run on platforms
without safe UUIDs, or you might use some application-level synchronization
methods to guarantee safe UUIDs (e.g. store the unsafe or unknown ones in a
database and check that new ones are not already used).
The point of this change is that it provides information to the application
creating UUIDs that wasn't previously available.
>"safe for multiprocessing applications"
>
>Does it mean unique on the whole system?
>
>I looked at uuid_generate_time_safe(3) manual page which mention
>"synchronization mechanisms (see above)" but they are not documented.
>http://manpages.ubuntu.com/manpages/zesty/en/man3/uuid_generate.3.html
I believe some systems at least use interprocess communication with a daemon
to provide the synchronization. Yes, it would be system-wide.
>> I'm classifying this as a security issue, (...)
>
>This issue was only fixed in Python 3.7. Does it mean that it's no more
>considered as as security vulnerability?
I should remove that tag. While this could have an impact on application
security, it's not a security issue *in Python* itself.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue22807>
_______________________________________
More information about the Python-bugs-list
mailing list