[New-bugs-announce] [issue27297] Add support for /dev/random to "secrets"

Larry Hastings report at bugs.python.org
Sat Jun 11 14:34:35 EDT 2016

New submission from Larry Hastings:

Linux contains two separate sources for random numbers: /dev/urandom and /dev/random.  On a reasonably-current Linux box, the urandom(4) man page states:

    As a general rule, /dev/urandom should be used for
    everything except long-lived GPG/SSL/SSH keys.

This seems to suggest that, in the eyes of its implementors, /dev/random returns ever-so-slightly superior random numbers, and that in certain limited circumstances you should prefer those.

AFAICT the secrets module doesn't make use of the /dev/random device on Linux.  Should it?  (Or, in the likely case that we make the getrandom() function directly callable, should it call getrandom(GRND_RANDOM)?)

p.s. FWIW, Linux's /dev/urandom isn't considered a true CPRNG in all circles.  This paper declines to call it simply either a CPRNG or a PRNG, instead christening it with the unfamiliar term "PRNG with entropy inputs".


p.p.s. I went ahead and nosied the "cryptography" "interest category" from the nosy list.  Neat!

assignee: steven.daprano
components: Library (Lib)
messages: 268243
nosy: christian.heimes, dstufft, gregory.p.smith, larry, steven.daprano
priority: low
severity: normal
stage: test needed
status: open
title: Add support for /dev/random to "secrets"
type: enhancement
versions: Python 3.6

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list