Remove Random instance for UUID, or mark it as deprecated

[bitonic]

See #15 (comment) for motivations, and entire ticket for context.

[aslatter]

Are you worried because someone might try to use the instance with StdGen? Maybe anyone that actually cares about randomness won't even bother with the System.Random class, but I'm not sure what harm comes from letting someone try.

[bitonic]

I'm worried about this kind of usage: silkapp/rest@e4ef6a6 . If you do this, you're going to get 64-bit UUIDs and you don't realize it.

[bitonic]

Note that my comment above is based on #15 (comment) .

I think if the Random instance is properly implemented then it is "dangerous" only in the sense that it's not really suitable to generate UUIDs that are hard to predict. Or as you said,

Maybe anyone that actually cares about randomness won't even bother with the System.Random class, but I'm not sure what harm comes from letting someone try.

I still think this difference in behavior warrants at the very least some documentation/warning, considering that UUIDs are very often used to implement things like user sessions tokens that rely on the UUIDs to be hard to predict.

[prikhi]

I ran into this, couldn't figure out how to use the Random a class with something other than System.Random and a figured nextRandom was just a wrapper around randomIO because there wasn't anything saying otherwise.

I think it would be helpful to say that one should use nextRandom for secure purposes and randomIO for general purposes.

[hvr]

@prikhi would you be interested in providing a PR enhancing the Haddock documentation to that effect?

[prikhi]

@hvr Created in #31

[axman6]

I think we're running into this in production, we're getting a lot of collisions of UUIDs generated from a bunch of Lambdas, so we're now looking at generating UUID using something like cryptonite instead.

Edit: Looks like we're probably using the wrong way to generate UUIDs, and V4.nextRandom should be what we use.

[phadej]

Random instance is really little use for AWS Lambda. There the if you generate just a few UUIDs (or even many) they depend heavily on an initial random seed.

https://hackage.haskell.org/package/uuid-1.3.13/docs/Data-UUID-V4.html uses entropy which is a lot better idea in that environment.

I'm tempted to remove Random instance in the next major version of uuid-types and uuid, as I honestly don't see a good reason for it. V4 entropy generation should be good enough for "real" UUID generation, and quickcheck-instances has not-real UUID generation for testing purposes (i.e. essentially generating two Word64s).

... but there aren't any reasons to make major release so for now Random instance will stay.