On 27 September 2015 at 00:04, Chris Angelico <rosuav@gmail.com> wrote:
Can you adequately define "secure enough" across all purposes? If so, I would support that. The precise number would never be documented specifically (if you want to know what your version does, try it interactively), and then it can indeed be changed in 3.6.3 - or even without a version number bump at all (in ten years' time, Red Hat might choose to continue shipping CPython 3.6.1, but change the default entropy value).
We backported PEP 466 with its "the default SSL context settings may change in maintenance releases" behaviour to the Python 2.7.5 based system Python in RHEL 7.2, so I expect we'd be OK with backporting changes to default entropy settings in the secrets module. The default settings in the system provided OpenSSL have also long been subject to change (that's one of the reasons CPython defaults to dynamically linking to OpenSSL on *nix systems). Cheers, Nick. -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia