Closed aslatter closed 9 years ago
Also - include versioning policy w.r.t. changes to uuid-types
requiring (or no requiring) a change in the uuid
version.
Would you like any help/input on this? I think could (hopefully!) try to string some words together this weekend. They'll probably need to be edited heavily, but...
Ah! Sorry for letting this languish, I'd meant this to be notes to myself.
I can cut a release for you without this, probably late tonight or early tomorrow morning.
No, no, let's have a good rationale ready! It wasn't my intention to rush you or anything! I honestly just wanted to know if I could help! :)
Just a little snippet:
If you're developing a library, you'll probably want to use
uuid-types
to minimize the number of additional dependencies you're imposing the users of your library. You'll probably want to supply some sort of runtime configuration which will allow your users to supply their own way to generate UUIDs. For example, you could let users of your library supply a value of typeIO UUID
which you can then use to generate UUIDs as appropriate. You should probably not rely on the built-in instances for UUID to generate UUIDs since that takes away choice from the users of your library. (As a special case, the built-in Random instance for UUID does not use a cryptographically secure random number generator by default. Currently there are no extant implementations of Random for any CSPRNG, mostly due to the requirement for a "split" method.)
(About that last bit with "split": I'm not 100% sure, but I don't think there's any existing Random instance which is a CSPRNG. Maybe it could be rephrased to be less black/white, but I think it deserves special mention that v4 UUIDs require extra measures for cases where you expect "secure" UUIDs.)
I like phrasing the distinction as application vs. library.
I may prefer going into less detail, but that's the right general approach.
I'm imagining that I'll use the split to add a new dependency on a secure CSPRNG in uuid
.
Why are the packages split?
For users: which package is appropriate for use? Are both packages maintained?
For contributors: guidelines for the location for new functionality.