2016-06-24 22:05 GMT+02:00 Nick Coghlan <ncoghlan@gmail.com>:
As such, the idioms I currently have in PEP 522 are wrong - the "wait for the system RNG or not" decision wouldn't be one to be made on a per-call basis, but rather on a per-__main__ execution basis, with developers choosing which user experience they want to support on systems with a non-blocking /dev/urandom:
* this application will fail if you run it before the system RNG is ready (so you may need to add "ExecStartPre=python3 -c 'import secrets; secrets.wait_for_system_rng()'" in your systemd unit file)
In short, if an application is not run using systemd but directly on the command line, it *can* fail with a fatal BlockingIOError? Wait, I don't think that it is an acceptable behaviour from the user point of view. Compared to Python 2.7, Python 3.4 and Python 3.5.2 where os.urandom() never blocks nor raises an exception on Linux, such behaviour change can be seen as a major regression.
* this application implicitly calls "secrets.wait_for_system_rng()" and hence may block waiting for the system RNG if you run it before the system RNG is ready
It's hard to guess if os.urandom() is used in a third-party library. Maybe it's not. What if a new library version starts to use os.urandom()? Should you start to call secrets.wait_for_system_rng()? To be safe, I expect that *all* applications should start with secrets.wait_for_system_rng()... It doesn't make sense to have to put such code in *all* applications. The main advantage of the PEP 522 is to control how the "system urandom not initialized yet" case is handled. But you are more and more saying that secrets.wait_for_system_rng() should be used to not get BlockingIOError in most cases. Am I wrong? I expect that some libraries will start to use secrets.wait_for_system_rng() in their own code. ... At the end, it looks you basically reimplemented a blocking os.urandom(), no? -- Why do we have to bother *all* users with secrets.wait_for_system_rng(), while only a very few will really care of the exceptional case? Why not adding something for users who want to handle the exceptional case, but make os.urandom() blocking? Sorry, I'm repeating myself, but as I wrote, I don't know yet what is the best option, so I'm "testing" each option. Victor