Always use os.urandom for generating uuid4s #69701

alex · 2015-10-29T22:30:57Z

BPO	25515
Nosy	@warsaw, @alex, @dstufft, @jayvdb
Files	uuid.diff

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2015-10-30.03:40:45.391>
created_at = <Date 2015-10-29.22:30:56.758>
labels = ['library']
title = 'Always use os.urandom for generating uuid4s'
updated_at = <Date 2015-10-30.03:40:45.381>
user = 'https://github.com/alex'

bugs.python.org fields:

activity = <Date 2015-10-30.03:40:45.381>
actor = 'python-dev'
assignee = 'none'
closed = True
closed_date = <Date 2015-10-30.03:40:45.391>
closer = 'python-dev'
components = ['Library (Lib)']
creation = <Date 2015-10-29.22:30:56.758>
creator = 'alex'
dependencies = []
files = ['40899']
hgrepos = []
issue_num = 25515
keywords = ['patch', 'needs review']
message_count = 5.0
messages = ['253697', '253698', '253699', '253707', '253713']
nosy_count = 5.0
nosy_names = ['barry', 'alex', 'python-dev', 'dstufft', 'jayvdb']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = None
url = 'https://bugs.python.org/issue25515'
versions = ['Python 2.7', 'Python 3.5', 'Python 3.6']

alex · 2015-10-29T22:30:56Z

Right now uuid4 can be implemented one of 3 ways:

If there's a libuuid (and it's not OS X's) it uses that.
Fallback to os.urandom
If that raises an exception, fall back to the random module

I propose to simplify this to _just_ use os.urandom always. Reasons:

Its security properties are more obviously correct. (There's a large comment in uuid.py about how libuuid doees the wrong thing with fork on OS X, who knows if it's correct on other platforms)
It's simpler.
It's faster:

a_gaynor@miranda:$ python -mtimeit -s "import uuid; import os; import ctypes" "_buffer = ctypes.create_string_buffer(16); uuid._uuid_generate_random(_buffer); bytes(_buffer.raw)"
100000 loops, best of 3: 10 usec per loop
a_gaynor@miranda:$ python -mtimeit -s "import uuid; import os; import ctypes" "_buffer = ctypes.create_string_buffer(16); uuid._uuid_generate_random(_buffer); bytes(_buffer.raw)"
100000 loops, best of 3: 10.3 usec per loop
a_gaynor@miranda:$ python -mtimeit -s "import uuid; import os; import ctypes" "_buffer = ctypes.create_string_buffer(16); uuid._uuid_generate_random(_buffer); bytes(_buffer.raw)"
100000 loops, best of 3: 9.99 usec per loop
a_gaynor@miranda:$ python -mtimeit -s "import uuid; import os; import ctypes" "_buffer = ctypes.create_string_buffer(16); uuid._uuid_generate_random(_buffer); bytes(_buffer.raw)"
100000 loops, best of 3: 10.2 usec per loop
a_gaynor@miranda:$ python -mtimeit -s "import uuid; import os; import ctypes" "_buffer = ctypes.create_string_buffer(16); uuid._uuid_generate_random(_buffer); bytes(_buffer.raw)"
100000 loops, best of 3: 10.2 usec per loop
a_gaynor@miranda:$
a_gaynor@miranda:$
a_gaynor@miranda:$
a_gaynor@miranda:$
a_gaynor@miranda:$ python -mtimeit -s "import uuid; import os; import ctypes" "os.urandom(16)"
100000 loops, best of 3: 8.94 usec per loop
a_gaynor@miranda:$ python -mtimeit -s "import uuid; import os; import ctypes" "os.urandom(16)"
100000 loops, best of 3: 8.92 usec per loop
a_gaynor@miranda:$ python -mtimeit -s "import uuid; import os; import ctypes" "os.urandom(16)"
100000 loops, best of 3: 8.97 usec per loop
a_gaynor@miranda:$ python -mtimeit -s "import uuid; import os; import ctypes" "os.urandom(16)"
100000 loops, best of 3: 8.93 usec per loop
a_gaynor@miranda:$ python -mtimeit -s "import uuid; import os; import ctypes" "os.urandom(16)"
100000 loops, best of 3: 8.94 usec per loop
a_gaynor@miranda:$
a_gaynor@miranda:$
a_gaynor@miranda:~$ python --version
Python 2.7.3

alex · 2015-10-29T22:31:26Z

(Note that the speed difference would be even bigger on a recent python, 2.7.3 was before the file descriptor was cached for os.urandom)

warsaw · 2015-10-29T22:58:35Z

On Oct 29, 2015, at 10:30 PM, Alex Gaynor wrote:

Right now uuid4 can be implemented one of 3 ways:

If you're hacking on the uuid module, keep in mind bpo-22807

dstufft · 2015-10-30T01:57:45Z

This looks like a good idea to me, faster and more secure seems like a total win.

python-dev · 2015-10-30T03:40:45Z

New changeset 24bdc4940e81 by Benjamin Peterson in branch '2.7':
always use os.urandom for the uuid4 algorithm (closes bpo-25515)
https://hg.python.org/cpython/rev/24bdc4940e81

New changeset 70be1f9c9255 by Benjamin Peterson in branch '3.5':
always use os.urandom for the uuid4 algorithm (closes bpo-25515)
https://hg.python.org/cpython/rev/70be1f9c9255

New changeset 756d040aa8e8 by Benjamin Peterson in branch 'default':
merge 3.5 (bpo-25515)
https://hg.python.org/cpython/rev/756d040aa8e8

alex added the stdlib Python modules in the Lib dir label Oct 29, 2015

python-dev mannequin closed this as completed Oct 30, 2015

ezio-melotti transferred this issue from another repository Apr 10, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Always use os.urandom for generating uuid4s #69701

Always use os.urandom for generating uuid4s #69701

alex commented Oct 29, 2015

alex commented Oct 29, 2015

alex commented Oct 29, 2015

warsaw commented Oct 29, 2015

dstufft commented Oct 30, 2015

python-dev mannequin commented Oct 30, 2015

Always use os.urandom for generating uuid4s #69701

Always use os.urandom for generating uuid4s #69701

Comments

alex commented Oct 29, 2015

alex commented Oct 29, 2015

alex commented Oct 29, 2015

warsaw commented Oct 29, 2015

dstufft commented Oct 30, 2015

python-dev mannequin commented Oct 30, 2015