search

haskell-hvr / uuid

A Haskell library for creating, printing and parsing UUIDs
http://hackage.haskell.org/package/uuid
61 stars 38 forks source link

Update README to describe rational and guidance for split-packages #8

Closed aslatter closed 9 years ago

aslatter commented 9 years ago

Why are the packages split?

For users: which package is appropriate for use? Are both packages maintained?

For contributors: guidelines for the location for new functionality.

aslatter commented 9 years ago

Also - include versioning policy w.r.t. changes to uuid-types requiring (or no requiring) a change in the uuid version.

BardurArantsson commented 9 years ago

Would you like any help/input on this? I think could (hopefully!) try to string some words together this weekend. They'll probably need to be edited heavily, but...

aslatter commented 9 years ago

Ah! Sorry for letting this languish, I'd meant this to be notes to myself.

I can cut a release for you without this, probably late tonight or early tomorrow morning.

BardurArantsson commented 9 years ago

No, no, let's have a good rationale ready! It wasn't my intention to rush you or anything! I honestly just wanted to know if I could help! :)

BardurArantsson commented 9 years ago

Just a little snippet:

If you're developing a library, you'll probably want to use uuid-types to minimize the number of additional dependencies you're imposing the users of your library. You'll probably want to supply some sort of runtime configuration which will allow your users to supply their own way to generate UUIDs. For example, you could let users of your library supply a value of type IO UUID which you can then use to generate UUIDs as appropriate. You should probably not rely on the built-in instances for UUID to generate UUIDs since that takes away choice from the users of your library. (As a special case, the built-in Random instance for UUID does not use a cryptographically secure random number generator by default. Currently there are no extant implementations of Random for any CSPRNG, mostly due to the requirement for a "split" method.)

(About that last bit with "split": I'm not 100% sure, but I don't think there's any existing Random instance which is a CSPRNG. Maybe it could be rephrased to be less black/white, but I think it deserves special mention that v4 UUIDs require extra measures for cases where you expect "secure" UUIDs.)

aslatter commented 9 years ago

I like phrasing the distinction as application vs. library.

I may prefer going into less detail, but that's the right general approach.

I'm imagining that I'll use the split to add a new dependency on a secure CSPRNG in uuid.