On Sat, Oct 17, 2015 at 03:26:46AM +1100, Steven D'Aprano wrote:
But significanly, only one of the commenters has claimed to have any significant experience in crypto work, and I will quote him:
I didn't specifically claim the experience you requested in responding to your post on comp.lang.python because I thought that this was implied in making a response.
In fact I have 30+ years of experience in implementing cryptographic code (much involving random numbers) so there were at least two respondents who could have made this claim.
For the record, I consider it desirable in code involving security to exhibit the minimum functionality neccessary to get a job done. This is because funtionality and security very often work against each other in building secure systems.
I hence support your conclusion that the module should offer randbelow alone. I would oppose offering randomrange (or offering more than one of them) since this will pretty well guarantee that, sooner or later, someone will make a mistake in using the extra functionality and possibly deploy an insecure application as a result.