June 10, 2016
9:06 p.m.
On 06/10/2016 12:54 PM, Theodore Ts'o wrote:
So even on Python pre-3.5.0, realistically speaking, the "weakness" of os.random would only be an issue (a) if it is run within the first few seconds of boot, and (b) os.random is used to directly generate a long-term cryptographic secret. If you are fork openssl or ssh-keygen to generate a public/private keypair, then you aren't using os.random.
Just a gentle correction: wherever Mr. Ts'o says "os.random", he means "os.urandom()". We don't have an "os.random" in Python. My thanks to today's celebrity guest correspondent, Mr. Theodore Ts'o! //arry/