On Thu, Oct 15, 2015 at 5:57 PM, Steven D'Aprano email@example.com wrote:
As extensively discussed on Python-Ideas, the secrets module and PEP 506 is (I hope) ready for pronouncement.
Looks like client-side JS has window.crypto.getRandomValues() for this: https://developer.mozilla.org/en-US/docs/Web/API/RandomSource/getRandomValue... Similarly, Node.js offers crypto.randomBytes(): https://nodejs.org/api/crypto.html#crypto_crypto_randombytes_size_callback
Additionally, it looks like there's some kind of bold formatting error in the answer to "Q: What about a password generator?" in the HTML version of the PEP.
There is code and tests here:
I think there's a timing-related flaw in the current fallback implementation of equal(): https://bitbucket.org/sdaprano/secrets/pull-requests/1