[issue26839] Python 3.5 running on Linux kernel 3.17+ can block at startup or on importing the random module on getrandom()
Larry Hastings
report at bugs.python.org
Tue Jun 7 11:32:08 EDT 2016
Larry Hastings added the comment:
> PSRT VETO!
This is an amusing concept, but membership in the PSRT does not empower you with a "veto".
On the other hand, being Release Manager does give me some say here.
> You wouldn't add a workaround for broken CPU instructions to math.c or semi-functional network card to socket.c, would you?
Well, yes, of course we would, if we had to. Consider the F00F bug. Happily the operating systems handled that one for us.
It is unreasonable for Python startup to take 90 seconds, poorly-configured cloud virtual machine or otherwise. And there are many, many uses of the random module and hashlib that don't require CPRNG.
On the other hand, people who need cryptographic-strength random bits should be able to get them. And the documentation literally does state that os.urandom() is a source of cryptographically-suitable random bytes.
ISTM that the happy middle ground would be:
* seed the random module with non-cryptographically-secure random bits
* lazily seed hashlib
Am I missing something, besides the anxiety of making this sort of change four days before I tag 3.5.2 RC2?
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue26839>
_______________________________________
More information about the Python-bugs-list
mailing list