HackerTrans
TopNewTrendsCommentsPastAskShowJobs

saclark11

no profile record

Submissions

Tech Debt? I don't believe it exists

dadrian.io
3 points·by saclark11·vor 11 Monaten·2 comments

comments

saclark11
·vor 8 Monaten·discuss
You can do this in Go by making a type declaration defining a function and then adding a method with the same signature on that type, which calls the function. The Go standard library does exactly this with the `HandlerFunc` type [1].

  // The HandlerFunc type is an adapter to allow the use of
  // ordinary functions as HTTP handlers. If f is a function
  // with the appropriate signature, HandlerFunc(f) is a
  // [Handler] that calls f.
  type HandlerFunc func(ResponseWriter, *Request)
  
  // ServeHTTP calls f(w, r).
  func (f HandlerFunc) ServeHTTP(w ResponseWriter, r *Request) {
      f(w, r)
  }
[1]: https://cs.opensource.google/go/go/+/refs/tags/go1.25.4:src/...
saclark11
·vor 11 Monaten·discuss
Sounds like you'll love "Spend Bill Gates' Money" [1]

[1]: https://neal.fun/spend
saclark11
·letztes Jahr·discuss
Advertising any UUID/GUID generator as cryptographically secure, or relying on it to be so, is a mistake, in my opinion.

You use a UUID when you need a universally unique ID whose guessability properties are not a critical security requirement. While the V4 UUID spec (which this package does not implement, but most users might assume it does) states that a UUID implementation SHOULD be cryptographically secure [1], it also states that they MUST NOT be used as security capabilities [2]. This is b/c they are not intended as secure tokens, but many users mistakenly assume them to be suitable as such. Not to mention, V4 UUIDs only have 122 bits of entropy, not 128, since 6 bits are reserved for version and variant information, which many users don't realize.

So you can generate a UUID that is suitable as a secure token, but at that point don't call it a UUID. Just call it a secure token. And if you need a secure token, use something like Go's `Text()` function from `crypto/rand` [3].

The situation reminds me of how the Go team updated the `math/rand` and `math/rand/v2` packages to use a CSPRNG as a defensive measure [4], while still urging users to use `crypto/rand` in secure contexts.

[1]: https://www.rfc-editor.org/rfc/rfc9562.html#unguessability

[2]: https://www.rfc-editor.org/rfc/rfc9562.html#Security

[3]: https://pkg.go.dev/crypto/[email protected]#Text

[4]: https://go.dev/blog/chacha8rand
saclark11
·letztes Jahr·discuss
> "UUID" was already taken by Google.

This shouldn't really matter as your import paths are obviously different. `github.com/google/uuid` and `github.com/sdrapkin/guid` can happily coexist. Any file/codebase importing both (which would ideally be avoided in the first place) can alias them.

> IMHO "Guid" is just as well known

I think the point the commenter was trying to make is that these do not adhere to the UUID spec. You don't specify which version, but judging by the docs and your comparison to `github.com/google/uuid`, I'd wager most folks looking at this library would assume they are supposed to be V4 UUIDs.