On 20 October 2015 at 11:33, Victor Stinner firstname.lastname@example.org wrote:
2015-10-20 11:11 GMT+02:00 Nick Coghlan email@example.com:
Folks wanting to simulate die rolls should be using the random module rather than the secrets module anyway,
Hum, why? Dices are used in Casino where security matters because it costs money.
True, I was thinking of just-for-fun games, but in gambling games unbiased randomness can be significantly more important.
A bad API can be more likely misused and introduce security vulnerability. The C rand() API is a good example: 1+rand()%6 is not uniform...
"1 + secrets.randbelow(6)" would be uniform, though. As Tim pointed out, the lack of flexibility in randbelow() is a feature here, since it focuses on producing a uniformly random distribution of a given size, which can then be transformed deterministically.
-- Nick Coghlan | firstname.lastname@example.org | Brisbane, Australia