[Python-ideas] Should our default random number generator be secure?

M.-A. Lemburg mal at egenix.com
Thu Sep 10 10:26:23 CEST 2015


Reading this thread is fun, but it doesn't seem to be getting
anywhere - perhaps that's part of the fun ;-)

Realistically, I see two options:

 1. Someone goes and implements the OpenBSD random function in C
    and put a package up on PyPI, updating it whenever OpenBSD
    thinks that a new algorithm is needed or a security issue
    has to be fixed (from my experience with other crypto software
    like OpenSSL, this should be on the order of every 2-6 months ;-))

 2. Ditto, but we put the module in the stdlib and then run around
    issuing patch level security releases every 2-6 months.

Replacing our deterministic default PRNG with a non-deterministic
one doesn't really fly, since we'd break an important feature
of random.random(). You may remember that we already ran a similar
stunt with the string hash function, with very mixed results.

Calling the result of such a switch-over "secure" is even
worse, since it's a promise we cannot keep (probably not even
fully define). Better leave the promise at "insecure" - that's
something we can promise forever and don't have to define :-)

Regardless of what we end up with, I think Python land can do
better than name it "arc4random". We're great at bike shedding,
so how about we start the fun with "randomYMMV" :-)

Overall, I think having more options for good PRNGs is great.
Whether this "arc4random" is any good remains to be seen, but
given that OpenBSD developed it, chances are higher than
usual.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Sep 10 2015)
>>> Python Projects, Coaching and Consulting ...  http://www.egenix.com/
>>> mxODBC Plone/Zope Database Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________
2015-09-18: PyCon UK 2015 ...                               8 days to go

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/


More information about the Python-ideas mailing list