Threads for pgr0ss

  1. 2
    egamirorrim avatar egamirorrim 4 months ago | link | on: ULID Identifiers and ULID Tools Website

    Creator of https://www.ulidtools.com here - nice site! ULIDS ftw.

    1. 2
      franta avatar franta 4 months ago | link

      Are you sure that these strings are UUIDv4?

      01859DB9-6B25-D56C-588A-F72D574F5A18
01859DBA-7172-6F88-78CE-52F5D447B79F
01859DBA-8F2C-D57A-8ED8-F1519161A51C
01859DBA-BCDD-F392-6FF9-66A47252644B
      1. 2
        klingtnet avatar klingtnet 4 months ago | link

        For anyone who’s wondering what makes them not UUIDv4s, I guess it’s because the the first part, 01859DB9-, does not look very random. A UUIDv4 however is completely random, like:

        $ for x in $(seq 5); do uuidgen; done
F61DCF92-863B-4250-98EA-16E417311539
F6411104-AA7F-47D9-B4F2-D6A2B96834B5
A5D25324-E8B6-478F-B626-28ACC7683988
27A8CB5A-2307-467E-A076-8EF5D7C05ED8
D1F034B1-C2B2-43C7-B4C1-DE7550E86FEF
        1. 7
          pgr0ss avatar pgr0ss 4 months ago | link

          This issue is that the version/variant aren’t correct for UUIDv4. You can see when you decode them: https://www.uuidtools.com/decode

          1. 1
            klingtnet avatar klingtnet 4 months ago | link

            Thanks! Didn’t knew that the version is encoded in the UUID.

      2. 1
        pgr0ss avatar pgr0ss 4 months ago | link

        Wow, that’s great! Is it open source?

      1. 3
        leighmcculloch avatar leighmcculloch 4 months ago | link | on: ULID Identifiers and ULID Tools Website

        Would you choose UUID v6/v7 if they were more stable and prevalent do you think? Or does the base32 encoding of ULIDs play a siginifics role in preferring them?

        1. 1
          pgr0ss avatar pgr0ss 4 months ago | link

          Yeah, maybe, although I do think you still need a better encoding for URLs and such.

          1. 1
            hauleth avatar hauleth 4 months ago | link

            Well, canonical hex encoding isn’t enforced in any way. You can use whatever encoding format you want.

        1. 4
          bdesham avatar bdesham edited 4 months ago | link | on: ULID Identifiers and ULID Tools Website

          One of the downsides—potentially—is that each ULID leaks the information of when it was created. I mean, this is obviously one of the big selling points of ULIDs, but there might be situations where it’s undesirable.

          1. 3
            pgr0ss avatar pgr0ss 4 months ago | link

            Good point. I added it to my list of downsides. Thanks!

            1. 2
              franta avatar franta 4 months ago | link

              I came here to say this… The main reason to use random UUIDs is that they are meaningless identifiers and they do not reveal anything else (increment counts, creation dates, node where entity was created, whether one entity was created before/after the other one, entity types, categories, tags or other metadata).

              There might be a reason to use ULID sometimes, but when designing a system and identifier scheme, I would be rather a bit paranoid by default and do not encode any other data into identifier unless I have a really good reason to do so.

              1. 4
                brocooks avatar brocooks 4 months ago | link

                Nit: only UUIDv4 is random. Versions 1 and 2 definitely leak information, since they encode a timestamp and a MAC address of the node generating the id.

            1. 11
              colonelpanic avatar colonelpanic 3 years ago | link | on: What interesting bugs have you fixed recently?

              Braintree doesn’t use globally-unique ids for their transaction records. 48 hours I’ll never get back.

              1. 1
                benoliver999 avatar benoliver999 3 years ago | link

                Isn’t that a payment system? This seems pretty worrying…

                1. 1
                  colonelpanic avatar colonelpanic 3 years ago | link

                  Yes… and I have plenty more horror stories where that came from.

                2. 1
                  pgr0ss avatar pgr0ss 3 years ago | link

                  Hi, I work at Braintree and we do and have always used globally unique ids for transactions. You may have run into a recent issue we had, though (https://status.braintreepayments.com/incidents/n1hf4hj89lks). We have since cleaned up the duplicate ids and put measures into place to help prevent issues like this in the future. If that timeline doesn’t line up with what you saw, we’d love to know more.

                  1. 1
                    colonelpanic avatar colonelpanic 3 years ago | link

                    No, this was caused by switching a dev environment to a different sandbox account. Your API was giving us transaction IDs that were colliding with ids we received from the previous merchant. Thankfully, this never impacted production.

                    I sincerely doubt that your ids are globally unique because they’re far too short for that, and because of this blog post.

                    1. 1
                      pgr0ss avatar pgr0ss 3 years ago | link

                      That post is referring to the fact that a transaction id might be the same as a customer id, and that given only an id, we don’t know what type it is. Transaction ids are unique against all other transaction ids.

                      1. 1
                        colonelpanic avatar colonelpanic 3 years ago | link

                        Nevertheless, your sandbox did repeat transaction ids. I have two days’ wasted time to show for it.