Larry Osterman's WebLog

Confessions of an Old Fogey
Blog - Title

UUIDs are only unique if you generate them...

UUIDs are only unique if you generate them...

  • Comments 28

We had an internal discussion recently and the upshot of the discussion was that it turns out that some distributed component on the web appears to have used the UUID of a sample COM component.

Sigh.

I wonder sometimes why people do this.  It's not like it's hard to run uuidgen and then copy the relevent GUIDs to your RGS file (and/or IDL file, or however it is you're defining and registering your class).

I guess the developers of the distributed component figured that they didn't have to follow the rules because everyone else was going to follow them.

And, no, I don't know what component it was, or why they decided to copy the sample.

So here's a good rule of thumb.  When you're designing a COM component, you should probably use UUIDGEN (or UuidCreate()) to generate unique (and separate) GUIDS for the Interface ID, Class ID, and Library ID and App ID.

 

  • Because they don't know the meaning of the GUIDS. They just copy paste the example code and then forget about that.
  • Textbox cargo cult programming: http://blogs.msdn.com/EricLippert/archive/2004/03/01/82168.aspx
  • Or use <a href="http://www.codeproject.com/macro/guidgennet.asp">GUIDGen.NET </a>
  • I reused a MS GUID 2 weeks ago. It's name for the time being is MustChangeGUID.reg as I didn't have anyway of generating a new one without rooting around for VS CD. And that reminds me VS is now reinstalled so I'm off to make a new one.

    It was adding a menu entry to the IE tools menu. One requires a GUID (for no good reason I can see - there is no code attached). First I thought any string will do. Well test didn't substitute for a meaningless number. So I chose a IE4 powertoy GUID.

    Only a moron would have thought up GUIDs in the first place. I understand the problem it solves but meaningless numbers are meaningless numbers. They are too long for humans to work with, remember, or anything. Didn't someone invent an assembler to solve a meaningless number problem, eg Int 21 instead of 52513.
  • Actually GUIDs were a part of DCE, which was designed by a bunch of mainframe people years ago.

    GUIDs have three qualities that make them useful:

    1) They're fixed size (which is good for lots of networking protocols)
    2) They're unique.
    3) They're easily generated.

    Strings don't have any of the above qualities (they can have quality #2, but if so, it loses quality #3)
  • > 2) They're unique

    I thought that was only true on machines with a NIC (since it uses the MAC address as part of the generation process, and the MAC address is going to be unique) but if you don't have a NIC, there's no way to ensure with 100% certainty that the number's going to be unique...

    Then again, how many machines are there these days without a network card?
  • I can totally see how this happened. Code was copied, pasted, forgotten about, rediscovered. You can't tell by looking at the code if the GUID has been used before or replaced*. It's often a hassle to replace a GUID, since it's in 2 or 3 different places (idl, reg) in multiple formats (so you can't do a naive search and replace) and you get mysterious errors if you don't fix them all (or no errors until you try on a clean machine).

    * How would that be for a "What's wrong with this code" installment? The GUID comes from MSDN code sample X.
  • Hah!

    Unique MAC addresses in network cards.

    Right.

    Our programs have installation IDs generated from (a) the numerical lowest network card MAC address, if any are present, or (b) randomly.

    We get two sorts of problems all the time:

    - installation IDs that were generated randomly because no suitable MAC was available

    - conflicting installation IDs at multiple customers' sites because the MAC wasn't unique

    I just wish privacy fanatics hadn't killed the Pentium ID feature, this kind of problem would be much easier to solve if we had that. Unfortunately, as it is, I don't know of a single reliable way to uniquely identify a user's PC.
  • Also, we've had one of our own GUIDs, generated by guidgen, conflict with some other component, apparently by complete accident. Fix? We generated a new GUID...
  • Denis, UuidCreateSequential can be used to create a UUID that's tied to the user's machine.

    There's a HUGE caveat though. By using UuidCreateSequential, you potentially leak anonymous identifiable information about the user. You need to ensure that your privacy policy allows for this.

    UuidCreate should be "good enough" - the chances of a 128 bit cryptographically secure random number colliding is relatively small.
  • Yes it's a good idea for people to read the rules and use GUIDgen, just as it's a good idea for people to read the rules and write valid C (or C++). Let's hope that one reminder will be enough for some of them.

    On the other hand, yes there are still a lot of PCs without built-in LAN cards. PCMCIA-Ethernet and USB-Ethernet adapters are still strong sellers.
  • Hmm, you know I have done a lot of experimenting with guids, trying to generate the same one even multiple ways.

    Ok so I was really bored one day. Idle Programmers hands do weird things. Anyway I was playing generating GUIDs in SQL server, in .net and through some old VB Code that taps into UuidCreate

    Anyway all of them were inserting the guids they generated into the SQL server and the SQL server was using a unique ID to hold the guids it was inserting and the unique ID was also a guid. I am not sure the algorithms MS uses to generate the guids but something is based on time because I would get a lot of guids generated with like the first 12 characters would be the same then like every second the first 12 would change. This was in .net SQL server there was no real pattern to the guid and the VB one I don't remember. Anyway not one of all these GUID I generated were the same. So how the heck does it happen that people get the same GUID. I am not saying it can't happen but the chances of getting the same guid I think are greater than winning the lottery, now the example above is blatant that someone copied the guid from the sample. However, it seems that I have been hearing more and more lately about guid collisions. Kent Sharky even found this weird experience. http://blogs.msdn.com/ksharkey/archive/2004/10/28/249164.aspx

    I guess maybe is there talk of changing the GUID? Making it bigger or different? It seems more and more it is getting used everywhere. The chances of guids not being unique are getting slimmer and slimmer. I know there are GUIDs in com just look at how many dlls are on your machine. There are guids in hardware and drivers, guids are used in databases. Active directory sheesh each object in there may use 2 or more guids plus something called a SID, never understood a SID, but I know it is also a unique identifier to each object. Is it possible that the world may be running out of GUIDs just like IP addresses? hence the reason for IPv6. I know there are 16 bit guids, and I know there are 32 bit guids, are there now 64 bit guids? At one time we thought the world would never run out of IP addresses. Could ever find ourselves in a world where the guid runs out.
  • 128 bits represents about 6.8x10^38 unique numbers.

    For reference, there are about 8.8x10^49 atoms in the earth.

    It's not likely that the UUID space is going to be going away anytime soon.

    Paul Leach wrote up an I-D with the format of a UUID several years ago, I'm not totally sure why it wasn't submitted as an informational RFC, but...:

    http://www.opengroup.org/dce/info/draft-leach-uuids-guids-01.txt
  • They are fine for programming. In VB I don't even see them or think about them (normally). But when there is problems, mine or others, it is impossible (well without writing things down) to troubleshoot. The human brain can contains 7 items in short term memory. Unique strings need to have less than 7 items (although real words can count as 1).

    I mean one can''t even find things in Add/Remove anymore as GUIDs migrate there. Microsoft word has gone from Word to a 128 bit number.

    I recall a thing called DNS to handle small 32 bit numbers. And didn't LAN Manager use names rather than numbers for the benefit of humans.

    This is something designed by an engineer.

    Here is some HTML,
    <OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"
    ID=dsoMacro5 WIDTH=0 HEIGHT=0>
    <PARAM NAME="DataURL" VALUE="music.txt">
    <PARAM NAME="UseHeader" Value="True">
    <PARAM NAME="FieldDelim" VALUE="&#09;">
    <PARAM NAME="Sort" Value="Title">
    </OBJECT>

    I copied the above code once (years ago) and each time I use it I copy the previous time I used it (I love tab delimited databases - like screwdrivers there is no problem they can't solve). I don't know that stupid number, never will, so cut and paste is the only way to make a display page for whatever data. That means I NEED to find a previous page to make a new page or I am stuck.

    A GUID conveys no information.

    Maybe random word would be a better idea, eg

    {dog-cat-mouse-supercalafragalistic....-hate-guid}

    This would allow 7 words rather than 7 letters/numbers to be remembered.
  • Denis wrote:
    Our programs have installation IDs generated from (a) the numerical lowest network card MAC address ...
    We get two sorts of problems all the time:
    ...
    - conflicting installation IDs at multiple customers' sites because the MAC wasn't unique

    It is not uncommon for PCs to have "pretend" network interfaces for things like VPNs, modems, the loopback adaptor and so on. To avoid confusing higher software layers these pretend devices can have a MAC address, and it's often the same address on every PC (which shouldn't matter, because it's not actually used for anything). If you're grabbing a MAC address for uniqueness you need to ensure it's from a real network interface card.
Page 1 of 2 (28 items) 12