For those who haven't looked in a while, the uuid module uses ctypes to look up libuuid for uuid_generate_time_safe() and uuid_generate_time() functions. I've run into scenarios where I need to remove this from our own builds, but it seems like it's probably unnecessary anyway? It's certainly a security risk, though in most cases the _uuid module should provide them anyway. I'm proposing to remove the ctypes fallbacks: https://bugs.python.org/issue40501 If anyone knows that they are reliant on not having libuuid at compile time, but being able to load it later via ctypes, it would be great if you could drop by the issue and explain the scenario. Thanks, Steve
On Mon, May 4, 2020 at 9:45 AM Steve Dower <steve.dower@python.org> wrote:
For those who haven't looked in a while, the uuid module uses ctypes to look up libuuid for uuid_generate_time_safe() and uuid_generate_time() functions.
I've run into scenarios where I need to remove this from our own builds, but it seems like it's probably unnecessary anyway? It's certainly a security risk, though in most cases the _uuid module should provide them anyway.
I'm proposing to remove the ctypes fallbacks: https://bugs.python.org/issue40501
If anyone knows that they are reliant on not having libuuid at compile time, but being able to load it later via ctypes, it would be great if you could drop by the issue and explain the scenario.
Thanks, Steve
That seems like a good idea. The ctypes code has been in there since the module was added in 2006. The _uuid extension module only landed in 2017 for Python 3.7. I can't imagine a normal scenario where the _uuid extension module would not exist unless we're talking maybe special needs for PyPy. (I doubt they want ctypes either these days) -gps
participants (2)
-
Gregory P. Smith -
Steve Dower