[docs] [issue27292] Warn users that os.urandom() prior to 3.6 can return insecure values
Nick Coghlan
report at bugs.python.org
Sat Sep 10 04:27:49 EDT 2016
Nick Coghlan added the comment:
On modern Intel chips, one of the entropy sources is the CPU itself, and so this problem is mostly theoretical on such systems unless you're worried about the quality of Intel's entropy generation (in which case you're well and truly into sovereign espionage and advanced persistent threat territory, and really shouldn't be blindly trusting operating systems and programming language runtimes to already be doing the right thing).
So the main ways to get bad entropy from /dev/urandom on Linux are:
- a misconfigured VM that has been cut off from all decent entropy sources, and doesn't have any persistent storage attached
- an embedded non-Intel chip that doesn't have any decent entropy sources or persistent storage attached
If you're not doing either of those things, you're probably fine. If you're worried that you might be, try running Python 3.6 and calling os.getrandom() explicitly to see what happens.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue27292>
_______________________________________
More information about the docs
mailing list