[Python-Dev] BDFL ruling request: should we block forever waiting for high-quality random bits?
mertz at gnosis.cx
Thu Jun 16 18:33:42 EDT 2016
Yes 'secrets' is one-liners. However, it might grow a few more lines around
the blocking in getrandom() on Linux. But still, not more than a few.
But the reason it should be on PyPI is so that programs can have a uniform
API across various Python versions. There's no real reason that someone
stick on Python 2.7 or 3.3 shouldn't be able to include the future-style:
Answer = secrets.token_bytes(42)
On Jun 16, 2016 4:53 PM, "Nick Coghlan" <ncoghlan at gmail.com> wrote:
> On 16 June 2016 at 13:09, Barry Warsaw <barry at python.org> wrote:
> > On Jun 16, 2016, at 01:01 PM, David Mertz wrote:
> >>It seems to me that backporting 'secrets' and putting it on Warehouse
> >>be a lot more productive than complaining about 3.5.2 reverting to
> >>the behavior of 2.3-3.4.
> > Very wise suggestion indeed. We have all kinds of stdlib modules
> > and released as third party packages. Why not secrets too? If such
> were on
> > PyPI, I'd happily package it up for the Debian ecosystem. Problem solved
> > <wink>.
> The secrets module is just a collection of one liners pulling together
> other stdlib components that have been around for years - the main
> problem it aims to address is one of discoverability (rather than one
> of code complexity), while also eliminating the "simulation is in the
> standard library, secrecy requires a third party module" discrepancy
> in the long term.
> Once you're aware the problem exists, the easiest way to use it in a
> version independent manner is to just copy the relevant snippet into
> your own project's utility library - adding an entire new dependency
> to your project just for those utility functions would be overkill.
> If you *do* add a dependency, you'd typically be better off with
> something more comprehensive and tailored to the particular problem
> domain you're dealing with, like passlib or cryptography or
> P.S. Having the secrets module available on PyPI wouldn't *hurt*, I
> just don't think it would help much.
> Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
> Python-Dev mailing list
> Python-Dev at python.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Python-Dev