-
Notifications
You must be signed in to change notification settings - Fork 160
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
UID Entropy very low #200
Comments
I have been planning to use UUIDs for some time, but then I would also throw away domain(). Accordingly, I'm planning to make the change for a new version when a little bit of stuff has come together. You are welcome to create an issue, I don't think there is one yet. But as a quick fix I would prefer the longer IDs. Enough for now and we can clean it later. |
Alright, I'll create a PR for longer IDs. |
# [1.3.0-develop.1](v1.2.1...v1.3.0-develop.1) (2021-02-27) ### Bug Fixes * **package.json:** add temporary version ([0bc117e](0bc117e)) * allow X-attrs to be specified in constructor ([#185](#185)) ([58c1ae5](58c1ae5)) * capitalize byDay even when bySetPos is used ([#205](#205)) ([5440fbc](5440fbc)) * **Typings:** Fix OPT-PARTICIPANT ([b777f9e](b777f9e)), closes [#192](#192) * Fix scale type for CalendarData ([#191](#191)) ([d5421e8](d5421e8)) * Make x key optional in types ([#211](#211)) ([e3c21e2](e3c21e2)) * Type fixes and updates ([#217](#217)) ([d8abe4d](d8abe4d)) ### Features * **Events:** Add appleLocation method ([#170](#170)) ([0956ba2](0956ba2)) * Add missing string input options to interface ([#199](#199)) ([a963178](a963178)) * Add Transparency Method ([bd2901d](bd2901d)) * Increase id entropy - Fixes [#200](#200) ([#202](#202)) ([6711b0a](6711b0a)) * make domain optional ([#209](#209)) ([e3362c9](e3362c9)) * Updated the entire codebase to Typescript ([d013dc0](d013dc0)) * **Events:** use provided timezone when constructing repeating.exclude ([#210](#210)) ([bd84230](bd84230))
🎉 This issue has been resolved in version 1.3.0-develop.1 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
Currently, if no ID is given to the event manually, a 4 character ID is generated consisting of the character set a-z 0-9. This has an entropy of less than 21 bits and creating more than a few tens of events in a calendar comes with a significant risk of id collisions. I would suggest either modifying the current method to create significantly longer random strings or switching to UUIDs (which is the official recommendation, see https://icalendar.org/New-Properties-for-iCalendar-RFC-7986/5-3-uid-property.html).
In the latter case, fully following the recommendation would also mean getting rid of the domain property, though it would still be valid to include it after the UUID, provided the domain name is no longer than 218 bytes. It should be noted though that the spec states
"UID" values MUST NOT include any data that might identify a user, host, domain, or any other security- or privacy-sensitive information.
Either way, if you would like such a change and let me know which variant you prefer, I'd be happy to create a PR.
The text was updated successfully, but these errors were encountered: