On Thu, Jun 16, 2016 at 1:04 PM, Donald Stufft <donald@stufft.io> wrote:
In my opinion, this is a usability issue as well. You have a ton of third party documentation and effort around “just use urandom” for Cryptographic random which is generally the right (and best!) answer except for this one little niggle on a Linux platform where /dev/urandom *may* produce predictable bytes (but usually doesn’t).
Why not consider opt-out behavior with environment variables? Eg: people that don't care about crypto mumbojumbo and want fast interpreter startup could just use a PYTHONWEAKURANDOM=y or PYTHONFASTURANDOM=y. That ways there's no need to change api of os.urandom() and users have a clear and easy path to get old behavior. Thanks, -- Ionel Cristian Mărieș, http://blog.ionelmc.ro