On Jun 23, 2016, at 09:54 AM, Donald Stufft wrote:
Because projects are likely going to be supporting things other than 3.6 for a very long time. The “typical” support matrix for a project on PyPI currently looks roughly like 2.6, 2.7, and 3.3+. We’re seeing some projects dropping 2.6 finally on PyPI but it’s still a major source of downloads and 2.7 itself is still ~86% of downloads initiated by pip across all of PyPI. There is the idea of a secrets module back port on PyPI, but without adding C code to that it’s going to basically just do the same thing as that try … except and if the secrets backport requires C I think you won’t get a very large uptick since os.urandom exists already and the issues are subtle enough that I don’t think most people are going to grok them immediately and will just automatically avoid a C dependency where they don’t immediately see the need for one.
Even if we pretend that 3.6+ only is something that’s going to happen in anything approaching a short timeline, we’re still going to be fighting against the tide for what the vast bulk of documentation out there states to do. So not only do we need to wait it out for pre 3.6 to die out, but we also need to wait it out for the copious amounts of third party documentation out there telling people to just use os.urandom dies.
And even in the future, once we get to a 3.6+ only world, os.urandom and the try .. except shim will still “work” for all anyone can tell (since the failure mode on os.urandom itself is practically silent in every way imaginable) so unless they already know about this issue and go out of their way to switch over to the secrets module, they’re likely to continue using something in the os module for a long time.
IOW, I think secrets is great, but I think it mostly helps new code written targeting 3.6+ only, rather than being a solution for the vast bulk of software already out there or which doesn’t yet exist but is going to support older things than 3.6.
The proposed os.urandom() change is only going into Python 3.6, so older Python users will still be "vulnerable" to the problem until they upgrade. And without a backported secrets module, they won't have any way to benefit from the entropy guarantees until they upgrade. If secrets is backported and available in PyPI, then we can start immediately changing the os.urandom() meme to something more secure. Sure it takes a long time to change minds, but I still think it's better to give users a blessed, near universally agreed upon, secure alternative immediately. Cheers, -Barry