A UUID function for web developers

classic Classic list List threaded Threaded
26 messages Options
12
Reply | Threaded
Open this post in threaded view
|

A UUID function for web developers

denisewiseon
Is it possible to introduce a function for getting a system generated UUID through javascript? It has been a long time coming. I am of the opinion this function should be fast-tracked into browsers, since it has been a lingering and deepening hole in the feature set of browsers.

Maybe at the next meeting of groups of developers of different browsers, a consensus can be made regarding how to add this function, and they can immediately set out to independently roll it out. Having it become a part of an official standards document is a secondary concern.
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: A UUID function for web developers

Kohei Yoshino-2
I have a simple utility function to get a UUID:
https://github.com/bzdeck/flaretail.js/blob/master/scripts/helpers.js#L864

Does it work?

-Kohei

On 2016-03-17 5:25 PM, [hidden email] wrote:
> Is it possible to introduce a function for getting a system generated UUID through javascript? It has been a long time coming. I am of the opinion this function should be fast-tracked into browsers, since it has been a lingering and deepening hole in the feature set of browsers.
>
> Maybe at the next meeting of groups of developers of different browsers, a consensus can be made regarding how to add this function, and they can immediately set out to independently roll it out. Having it become a part of an official standards document is a secondary concern.

_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: A UUID function for web developers

L. David Baron
You could also write your own, such as the following (which probably
could be simplified, but it works for me):

function hex_pad(num)
{
    var s = num.toString(16);
    while (s.length < 4) {
        s = "0" + s;
    }
    return s;
}

function uuidgen()
{
    var a = new Uint16Array(8);
    window.crypto.getRandomValues(a);
    return a.reduce((prev, item, idx) =>
                      prev + hex_pad(item) + (1 <= idx && idx < 5 ? "-" : ""),
                    "");
}

It doesn't seem like there's a need to add it to the platform given
that it can be written relatively simply using existing platform
features.

-David

On Thursday 2016-03-17 17:44 -0400, Kohei Yoshino wrote:

> I have a simple utility function to get a UUID:
> https://github.com/bzdeck/flaretail.js/blob/master/scripts/helpers.js#L864
>
> Does it work?
>
> -Kohei
>
> On 2016-03-17 5:25 PM, [hidden email] wrote:
> >Is it possible to introduce a function for getting a system generated UUID through javascript? It has been a long time coming. I am of the opinion this function should be fast-tracked into browsers, since it has been a lingering and deepening hole in the feature set of browsers.
> >
> >Maybe at the next meeting of groups of developers of different browsers, a consensus can be made regarding how to add this function, and they can immediately set out to independently roll it out. Having it become a part of an official standards document is a secondary concern.
--
𝄞   L. David Baron                         http://dbaron.org/   𝄂
𝄢   Mozilla                          https://www.mozilla.org/   𝄂
             Before I built a wall I'd ask to know
             What I was walling in or walling out,
             And to whom I was like to give offense.
               - Robert Frost, Mending Wall (1914)

_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: A UUID function for web developers

denisewiseon
In reply to this post by Kohei Yoshino-2
I'm referring to Universally Unique Identifiers here, not randomly generated numbers. Being universally unique, they must conform to certain standard such that no two will ever collide. I don't want to depend on some third-party unproven implementation when it is an intrinsic feature of every operating system.
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: A UUID function for web developers

Kyle Huey-2
https://en.wikipedia.org/wiki/Universally_unique_identifier#Version_4_.28random.29

- Kyle

On Thu, Mar 17, 2016 at 3:16 PM, <[hidden email]> wrote:

> I'm referring to Universally Unique Identifiers here, not randomly
> generated numbers. Being universally unique, they must conform to certain
> standard such that no two will ever collide. I don't want to depend on some
> third-party unproven implementation when it is an intrinsic feature of
> every operating system.
> _______________________________________________
> dev-planning mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-planning
>
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: A UUID function for web developers

denisewiseon
In reply to this post by denisewiseon
I maintain I don't want to make or receive a UUID based on any one of a myriad of custom implementations. To me, not giving me the UUID type is like not giving me the integer type, it just doesn't make any sense.
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: A UUID function for web developers

Kyle Huey-2
You can maintain that but given that UUID generation can be implemented on
top of existing web platform features with 10 lines of JS it's unlikely to
be viewed as a priority for browser vendors.

- Kyle

On Thu, Mar 17, 2016 at 3:58 PM, <[hidden email]> wrote:

> I maintain I don't want to make or receive a UUID based on any one of a
> myriad of custom implementations. To me, not giving me the UUID type is
> like not giving me the integer type, it just doesn't make any sense.
> _______________________________________________
> dev-planning mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-planning
>
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: A UUID function for web developers

denisewiseon
In reply to this post by denisewiseon
If by "priority" you mean it is going to cost more than 10 minutes of discussion and 1 minute of code, I disagree.
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: A UUID function for web developers

ISHIKAWA,chiaki
In reply to this post by denisewiseon
On 2016/03/18 7:16, [hidden email] wrote:
> they must conform to certain standard such that no two will ever collide.

"no two is ever likely to collide" is best we can hope for, BTW.

You can write, as some suggested, a uuid function by picking up one of the algorithms from, say,
https://www.ietf.org/rfc/rfc4122.txt

The beauty of uuid is that, because there is no central authority,  anyone can generate one and use it for one's application domain as one sees fit albeit a very, very  small probability that in one's application domain when IDs from similar applications are collected, that a collision *may* occur, but to an ordinary user, one can neglect that.
(The collision is so unlikely in ordinary use that if one finds an instance, I would think that should be put on the wall on a plaque :-)
But at least, EVERYONE should use a reasonably good uuid implementation that uses  something like one of the algorithms in rfc4122 with enough care.

Just my two cents worth.

PS: A malicious user can create, of course, create data with uuid to cause trouble in an existing application domain with existing data with published uuids [I mean it is a simple act of copy&paste], but
if one cannot stand that behavior in an application domain then it is time for a centrally managed id system (and some manners of preserving the authority of the assignment with all the management and security overhead of such a centrally managed system. It *IS* a trade-off to use uuid for care-free creation and assignment (assuming we have a good implementation of uuid creation function which every application user in that domain agrees to use.)

E.g.: I have seen uuid used for real and virtual disk volume ids and have not heard of a collision before. And *IF* by sheer chance (1/2^n), uuid collision occurs the worst it can happen is that an OS refuses to mount the second system with the same uuid, and one can always regenerate a new uuid to the second disk (and hopefully the newly generated uuid won't match another uuid in the system) and mount the disk with the new volume id.
If someone's application is doomed if there are different data with the same uuid, then the use of uuid is fundamentally flawed. There has to be a mechanism of soft-failure and recovery path.



_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: A UUID function for web developers

denisewiseon
In reply to this post by denisewiseon
I don't understand the logic of people who insist every single web programmer should inevitably go hunting for a sound UUID generator when it is already there in everyone's damn system. Also, designing an UUID implementation that is meant to be limited to one's own "domain" is both redundant and short sighted; UUID's by definition should never collide, and you should not assume your UUID's will never be mixed with UUID's generated elsewhere.

The whole point of UUID's is that they are unique, and it gives developers great relief knowing someone had the foresight to come up with such an entity, until oops! You find out somehow, maybe the master plan of web developer saboteurs, access to the UUID generator function was not provided. I'm not even going to ask for a reason, there is no reason, at least no good reason.
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: A UUID function for web developers

Jim Porter
On 03/17/2016 11:53 PM, [hidden email] wrote:
> The whole point of UUID's is that they are unique, and it gives
> developers great relief knowing someone had the foresight to come up
> with such an entity, until oops! You find out somehow, maybe the
> master plan of web developer saboteurs, access to the UUID generator
> function was not provided. I'm not even going to ask for a reason,
> there is no reason, at least no good reason.

You probably wouldn't get access to Version 1 UUIDs, since they leak
client data that can be used for fingerprinting (most importantly, the
MAC address). Version 2 UUIDs aren't often supported, so they're out
too. That leaves versions 3, 4, and 5, all of which can be implemented
in plain ol' Javascript, unless I'm mistaken.

In any case, if you think this is a very important feature to add to
Javascript, why not draft a proposal yourself? I'm not involved in the
committee, but the process seems pretty open based on this:
<http://www.2ality.com/2015/11/tc39-process.html>. It would probably be
more productive than expecting other people to take up your cause even
if they have no interest in it.

- Jim
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: A UUID function for web developers

Martin Thomson
On Fri, Mar 18, 2016 at 4:29 PM, Jim Porter <[hidden email]> wrote:
> You probably wouldn't get access to Version 1 UUIDs, since they leak
> client data that can be used for fingerprinting (most importantly, the
> MAC address). Version 2 UUIDs aren't often supported, so they're out
> too. That leaves versions 3, 4, and 5, all of which can be implemented
> in plain ol' Javascript, unless I'm mistaken.

I'm always fascinated by this obsession with UUID.  Everyone uses
version 4.  I've only rarely seen others used.  And in most cases, the
same function is better filled by a high-entropy string.

crypto.getRandomValues(new Uint8Array(16)).join(',').split(',').map(x
=> (parseInt(x,10) + 0x100).toString(16).slice(1)).join('')

Those 32 characters have more entropy than the 36 (or 38) characters
of a UUID.  Smaller still with a different encoding.  Base64 over 15
random octets produces 20 characters with plenty of entropy.
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: A UUID function for web developers

Nicholas Nethercote
In reply to this post by denisewiseon
On Fri, Mar 18, 2016 at 3:53 PM, <[hidden email]> wrote:
>
> The whole point of UUID's is that they are unique, and it gives
developers great relief knowing someone had the foresight to come up with
such an entity, until oops! You find out somehow, maybe the master plan of
web developer saboteurs, access to the UUID generator function was not
provided. I'm not even going to ask for a reason, there is no reason, at
least no good reason.

Maybe I'm misunderstanding your point, but UUIDs are just numbers and they
are not guaranteed to be unique. The opening section of
https://en.wikipedia.org/wiki/Universally_unique_identifier explains this
well. Any decent random number generator should suffice for generating them.

Nick
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: A UUID function for web developers

denisewiseon
In reply to this post by Jim Porter
Sorry, I was out of service for a day.

The resistance befuddles me; although, I appreciate the informative feedback.

The potential for "fingerprinting" is there, but is it really avoidable in this day and age. So many approaches exist, such as having people use your login service on targeted websites, or using their IP addresses. Plus, I'm sure operating system developers have taken this into consideration, and have for very good reasons decided the benefits far outweigh the security risks. Remember, the whole idea of the UUID is that it is meant to exist in a universal context, in that, any number of computers will use it to uniquely distinguish something from everything else.

I remember the time Bill Gates, after a long determined effort in a session with developers and organizations everywhere in some undisclosed bunker somewhere, emerged exhausted with what I believe was the first implementation of the UUID. It was heralded by mainstream news outlets all across the globe as a revolutionary development in the world of technology; yet, here we are 16 years later with developers for the leading platform (web browsers) of our time oblivious to its necessity. If there was any technology in which UUID generation should be built-in, first and foremost should be the technology that connects computers together. The UUID is an essential component in the world of connected computers, and to deny developers hassle-free access to it is to deny them a very important privilege.

I have no intention of arguing with you about which implementation is acceptable, as I'll just be setting my case up for failure. I pose a function for retrieving system generated UUID's should be implemented immediately, outside any standards body, which can afterward catch up to the standard practice. Clearly, if browser developers can focus on adding so many frills, which I appreciate a lot, don't get me wrong, they can invest a bit of time and effort into something ubiquitously in demand, an intrinsic part of the field, and has been a long time coming. Both, in the short and long term, they will be doing developers a great service by giving them this function immediately.
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: A UUID function for web developers

David Rajchenbach-Teller-2
I believe that everybody (myself included) fails to understand how a
built-in UUID function would improve the web platform in any manner,
given that something just as good – and something much better – can be
coded in a matter of minutes.

Cheers,
 David

On 19/03/16 18:56, [hidden email] wrote:

> Sorry, I was out of service for a day.
>
> The resistance befuddles me; although, I appreciate the informative feedback.
>
> The potential for "fingerprinting" is there, but is it really avoidable in this day and age. So many approaches exist, such as having people use your login service on targeted websites, or using their IP addresses. Plus, I'm sure operating system developers have taken this into consideration, and have for very good reasons decided the benefits far outweigh the security risks. Remember, the whole idea of the UUID is that it is meant to exist in a universal context, in that, any number of computers will use it to uniquely distinguish something from everything else.
>
> I remember the time Bill Gates, after a long determined effort in a session with developers and organizations everywhere in some undisclosed bunker somewhere, emerged exhausted with what I believe was the first implementation of the UUID. It was heralded by mainstream news outlets all across the globe as a revolutionary development in the world of technology; yet, here we are 16 years later with developers for the leading platform (web browsers) of our time oblivious to its necessity. If there was any technology in which UUID generation should be built-in, first and foremost should be the technology that connects computers together. The UUID is an essential component in the world of connected computers, and to deny developers hassle-free access to it is to deny them a very important privilege.
>
> I have no intention of arguing with you about which implementation is acceptable, as I'll just be setting my case up for failure. I pose a function for retrieving system generated UUID's should be implemented immediately, outside any standards body, which can afterward catch up to the standard practice. Clearly, if browser developers can focus on adding so many frills, which I appreciate a lot, don't get me wrong, they can invest a bit of time and effort into something ubiquitously in demand, an intrinsic part of the field, and has been a long time coming. Both, in the short and long term, they will be doing developers a great service by giving them this function immediately.
> _______________________________________________
> dev-planning mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-planning
>
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: A UUID function for web developers

Kyle Huey-2
In reply to this post by denisewiseon
On Sat, Mar 19, 2016 at 10:56 AM, <[hidden email]> wrote:

> I pose a function for retrieving system generated UUID's should be
> implemented immediately, outside any standards body, which can afterward
> catch up to the standard practice.
>

This simply is not how things are done.

- Kyle
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: A UUID function for web developers

denisewiseon
In reply to this post by denisewiseon
It is unreasonable to require every developer to go searching for a UUID generator function, and quite possibly, dissuade them from ever using UUID's for a many number of reasons by virtue of a UUID generator not being readily at hand. Taking the initiative of independently adding the function will neither be the first nor the last exception to the rule of always following standards, and it definitely qualifies as one of the more justified ones.
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: A UUID function for web developers

Eric Rescorla
You have this backwards. Things that are easily polyfilled are the lowest
priority
for being added to the platform in advance of standardization. As Martin
Thomson
has observed, browsers already contain the core mechanisms necessary to
generate UUIDs, namely a cryptographic PRNG.

More pragmatically, you've now posted 7 messages to this thread and you
haven't
convinced anyone. At this point, I would suggest that your time would be
much
better spent trying to convince someone to standardize this function,
rather than
us to implement in advance of a standard.

-Ekr

On Sat, Mar 19, 2016 at 1:52 PM, <[hidden email]> wrote:

> It is unreasonable to require every developer to go searching for a UUID
> generator function, and quite possibly, dissuade them from ever using
> UUID's for a many number of reasons by virtue of a UUID generator not being
> readily at hand. Taking the initiative of independently adding the function
> will neither be the first nor the last exception to the rule of always
> following standards, and it definitely qualifies as one of the more
> justified ones.
> _______________________________________________
> dev-planning mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-planning
>
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: A UUID function for web developers

denisewiseon
In reply to this post by denisewiseon
It is surreal I have to justify the inclusion of this, because it is already a basic feature in all platforms beside web browsers. You know, if just one team of web browser developers break their long-standing tradition of not including a UUID generator function, all others will follow.

I'll consider submitting a proposal to the standards bodies, but what if it is rejected or takes any length of time. How can you justify the immeasurable number of manhours that will go to waste, because you resist providing a simple wrapper over a system function call?
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: A UUID function for web developers

Philipp Kewisch-2
On 3/19/16 9:31 PM, [hidden email] wrote:
> It is surreal I have to justify the inclusion of this, because it is already a basic feature in all platforms beside web browsers. You know, if just one team of web browser developers break their long-standing tradition of not including a UUID generator function, all others will follow.
>
> I'll consider submitting a proposal to the standards bodies, but what if it is rejected or takes any length of time. How can you justify the immeasurable number of manhours that will go to waste, because you resist providing a simple wrapper over a system function call?
>

A list of other things that could be included in the platform:

* auto-grow text area
* human readable filesizes from numbers
* image format conversion
* sortable tables
* code to create a lightbox effect
* templating
* markdown conversion
* pretty printing and syntax highlighting
* more elements like in jquery-ui
* more functional tools
* ...

As you see, there are a lot of things that are used pretty commonly, and
also a lot of simple items in there. Should they all be in the browser?
I hope you agree this is more than core functionality, just like UUIDs.

If you say "but uuids are even more simple", where in that list should
the line be drawn? Should all the helper functions in jquery be
available natively in the browser, because they are similarly simple?
What about other js libraries? There is always a next thing that is just
a little bit more effort.

What is available in the browser should be most minimal, so that
libraries can be used to implement on top of it. This is for the same
reason that programming languages give you just the basics and libraries
allow extending it. Adding it just because it may be convenient would
not be helpful, as each new feature requires extra work and needs to be
maintained.

Also, if it is implemented and people rely on it, it is hard to make
changes to the API in the future. This is why we prefer going to the
standards body first. If the feature is rejected from the standards
body, then probably for a good reason. If the feature is just available
in Firefox, then you might as well not implement it at all because
developers will have to add the code for other browsers anyway.

As others have mentioned, I don't see this happening in Firefox. I hope
this helps understand why. If you still believe this is a viable option
you can try convincing the standards body, but I think the best option
forward is to continue using libraries as before.

Philipp
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
12