I also think it’s a great module for providing defaults that we can’t provide in os.urandom, like the number of bytes that are considered “secure” [1].
What I don’t think is that the secrets module means that all of a sudden os.urandom is no longer an API that is primarily used in a security sensitive context
Not all of a sudden. However, I guess things will change in the future. If we want the secrets module to be the first and only place where crypto goes, we should work towards that goal. It needs proper communication, marketing etc. Deprecation periods can be years long. This change (whatever form it will take) can be carried out over 3 or 4 releases when the ultimate goal is made clear to everybody reading the docs. OTOH I don't know whether long deprecation periods are necessary here at all. Other industries are very sensitive to fast changes. Furthermore, next generations will be taught using the new way, so the Python community should not be afraid of some changes because most of them are for the better. On 16.06.2016 15:02, Donald Stufft wrote:
I think that os.urandom is the most obvious thing that someone will reach for given:
* Pages upon pages of documentation both inside the Python community and outside saying “use urandom”. * The sheer bulk of existing code that is already out there using os.urandom for it’s cryptographic properties.
That's maybe you. However, as stated before, I am not expert in this field. So, when I need to, I first would start researching the current state of the art in Python. If the docs says: use the secrets module (e.g. near os.urandom), I would happily comply -- especially when there's reasonable explanation. That's from a newbie's point of view. Best, Sven