[Python-ideas] Should our default random number generator be secure?

Donald Stufft donald at stufft.io
Wed Sep 9 19:20:03 CEST 2015

On September 9, 2015 at 1:11:22 PM, Tim Peters (tim.peters at gmail.com) wrote:
> > So the real question is: whose use cases do you want to cater to  
> by default?
> If you answer "crytpo", then realize the Python generator will  
> have to
> change every time the crypto community changes its mind about  
> what's
> _currently_ "good enough". There's a long history of that already. 

This is not really true in that sense that Python would need to do anything if
the blessed generator changed. We'd use /dev/urandom, one of the syscalls that
do the same thing, or the CryptGen API on Windows. Python should not have it's
own userland CSPRNG. Then it's up to the platform to follow what generator they
are going to provide.

Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

More information about the Python-ideas mailing list