[docs] [issue16190] Misleading warning in random module docs

Christian Heimes report at bugs.python.org
Wed Oct 10 18:13:10 CEST 2012

New submission from Christian Heimes:

The documentation [1] of the random module contains a misleading warning 

Warning: The generators of the random module should not be used for security purposes. Use ssl.RAND_bytes() if you require a cryptographically secure pseudorandom number generator.

The warning should point users to os.urandom() and random.SystemRandom rather than ssl.RAND_bytes(). On Linux os.urandom() wraps /dev/urandom [2], on Windows it uses CryptGenRandom() [3]. Both are suitable for most cryptographic purposes except for long-lived keys (SSL, SSH, GPG certs etc.). ssl.RAND_bytes() should only be used for such long-lived data and not for salts, session ids and similar.

I like to see the warning box in Python 2.7, too. It's still the default for docs.python.org. My inquiry is motivated by #16184.

[1] http://docs.python.org/py3k/library/random.html
[2] http://linux.die.net/man/4/urandom
[3] http://msdn.microsoft.com/en-us/library/windows/desktop/aa379942%28v=vs.85%29.aspx

assignee: docs at python
messages: 172589
nosy: christian.heimes, docs at python
priority: normal
severity: normal
status: open
title: Misleading warning in random module docs
type: security
versions: Python 2.7, Python 3.2, Python 3.3, Python 3.4

Python tracker <report at bugs.python.org>

More information about the docs mailing list