On Tue, 23 Feb 2016 05:17 am, Jon Ribbens wrote:
> On 2016-02-22, Ethan Furman <et...@stoneleaf.us> wrote:
>> On 02/14/2016 04:08 PM, Ben Finney wrote:
>>> I am unconcerned with whether there is a real filesystem entry of that
>>> name; the goal entails having no filesystem activity for this. I want a
>>> valid unique filesystem path, without touching the filesystem.
>>
>> This is impossible. If you don't touch the file system you have no way
>> to know if the path is unique.
>
> Weeeeeell, I have a lot of sympathy for that point, but on the other
> hand the whole concept of UUIDs ("import uuid") is predicated on the
> opposite assumption.
You're referring to uuid4, presumably, as the other varieties of UUID use
non-secret information, such as the time, or a namespace, either of which
is potentially public knowledge.
Only uuid4 is considered "globally unique", and that's not *certainly*
globally unique, only that the chances of an *accidental* collision is
below some threshold deemed "small enough that we don't care".
Deliberate collisions of public UUIDs are *trivial*. Pick a UUID you know is
already in use, and use it again.
There's a lot of assumptions involved in the "globally unique" claim, and
there are probably ways to contrive to generate the same UUIDs as someone
else. But to what benefit? UUIDs are not intended as security tokens, and
are not hardened against attack. Even uuid4 may not be suitable for
security, since it may use a cryptographically weak PRNG such as Mersenne
Twister.
--
Steven
--
https://mail.python.org/mailman/listinfo/python-list
