[ANN] uuid 1.0.0 released
133 views
Skip to first unread message
Thijs Schreijer
Oct 12, 2024, 7:26:27 PM10/12/24
to lu...@googlegroups.com
LIst,
Happy to announce that the module 'uuid' version 1.0.0 is now available on
LuaRocks and Github[1]. It has several breaking changes over the previous
version[2]. Compatibility with Lua versions 5.1 to 5.4 remains.
The library generates uuid v4, in pure Lua. Though the recommended use
is with LuaSystem, since it provides crypto level randomness (on both
Posix and Windows) which cannot be achieved in pure Lua.
The most interesting part however is the struggle to get proper quality
random numbers, and seeds for that matter. So the submodule for that
might have some interesting functionality[3].
Enjoy! Comments are welcome.
Thijs
[1]: github source: https://github.com/Tieske/uuid
[3]: rng module: https://tieske.github.io/uuid/modules/uuid.rng.html
Sainan
Oct 12, 2024, 7:34:48 PM10/12/24
to lu...@googlegroups.com
Well, the answer to cryptographic RNG is not that interesting in my experience:
> On Windows, use BCryptGenRandom.
> On Linux, use getrandom.
> Anything else that quacks like Unix, open /dev/urandom and read from it.
One of these you can even do in pure Lua. :P
-- Sainan
> On Windows, use BCryptGenRandom.
> On Linux, use getrandom.
> Anything else that quacks like Unix, open /dev/urandom and read from it.
One of these you can even do in pure Lua. :P
-- Sainan
sur-behoffski
Oct 13, 2024, 4:06:11 AM10/13/24
to lu...@googlegroups.com
1. It may have less entropy than /dev/random. The lack of entropy might
make it more vulnerable to attack, although "none have been published
yet" (sigh: Wikipedia: https://en.m.wikipedia.org/wiki//dev/urandom).
2. In some cases, access to /dev may be denied by a call to chroot(2).
In this case, neither /dev/random or /dev/urandom is reachable via
Lua's io.open().
3. I believe that relevant POSIX standards are a better source than
"quacks like Unix", if available/applicable. I know of some projects
that demand POSIX references over (e.g.) Wikipedia references.
----
Linux's getrandom is designed to give read access to the kernel's
[u]random infrastructure, even where the /dev/ equivalents are
unavailable.
--------
In any case, the potential traps and pitfalls regarding security,
including random number generators, scares me greatly... where possible,
I try to defer to known-good code from highly-reputable sources
(including defending against supply-chain attacks).
Hope this helps. s-b
Sainan
Oct 13, 2024, 7:46:35 AM10/13/24
to lu...@googlegroups.com
Well, from what I understand, there's 2 types of "cryptographically secure" RNG:
- Straight from a solid entropy source
- From a solid entropy source but with extra processing (a DRBG) to extraoplate more bits.
For example, BCryptGenRandom is the latter, using a DRBG compliant with NIST SP800-90 to extrapolate more bits from hardware entropy sources.
For me, this is desirable because I personally don't want my program to block just because the system "ran out of entropy."
As a certified Windows pleb, I don't know the ins & outs of /dev/random and /dev/urandom, but from what I understand, /dev/urandom should be similar to BCryptGenRandom.
The chroot concern is certainly valid. Tho, I would just error if it failed to open and then it's the user's fault. :P
-- Sainan
- Straight from a solid entropy source
- From a solid entropy source but with extra processing (a DRBG) to extraoplate more bits.
For example, BCryptGenRandom is the latter, using a DRBG compliant with NIST SP800-90 to extrapolate more bits from hardware entropy sources.
For me, this is desirable because I personally don't want my program to block just because the system "ran out of entropy."
As a certified Windows pleb, I don't know the ins & outs of /dev/random and /dev/urandom, but from what I understand, /dev/urandom should be similar to BCryptGenRandom.
The chroot concern is certainly valid. Tho, I would just error if it failed to open and then it's the user's fault. :P
-- Sainan
Thijs Schreijer
Oct 13, 2024, 4:44:06 PM10/13/24
to lu...@googlegroups.com
Joking aside; the RNG stuff is not interesting if you live in a perfect world on a perfect platform where there is unlimited entropy at all times.
That's not my world. I typically have to deal with Posix and Windows, and even then won't always have access to a compiler, so might have to resort to pure-Lua. That requires trade-offs between the quality of the random data used vs the requirements of my use-case. Having the ability to get a not-perfect-but-good-enough solution in this challenging field is really nice to have.
LuaSystem is used because it is a cross-platform lib that provides a `system.random()` function to handle this. So this is an easy fix for the platform problem.
The docs are riddled with warnings, that you really should understand what you're doing when using the module. I'd suggest for anyone not understanding the challenges of RNGs and seeding them, to just use LuaSystem.
Thijs
Denis Dos Santos Silva
Oct 15, 2024, 3:59:30 AM10/15/24
to lua-l
note: uuid have some variants
A Complete Guide to UUID Versions (v1, v4, v5) - With Examples
Reply all
Reply to author
Forward
0 new messages