[Python-ideas] Python's Source of Randomness and the random.py module Redux

Thu Sep 10 15:56:05 CEST 2015

On Thu, Sep 10, 2015 at 8:44 AM, Paul Moore <p.f.moore at gmail.com> wrote:
> On 10 September 2015 at 14:10, Donald Stufft <donald at stufft.io> wrote:
>>> I don't understand the phrase "if you needed determinism, it would
>>> hurt you to say so". Could you clarify?
>>
>> I transposed some words, fixed:
>>
>> "If you needed determinism, would it hurt you to say so?""
>
> Thanks.
>
> In one sense, no it wouldn't. Nor would it matter to me if "the
> default random number generator" was fast and cryptographically
> secure. What matters is just that I get a load of random (enough)
> numbers.
>
> What hurts somewhat (not enormously, I'll admit) is up front having to
> think about whether I need to be able to capture a seed and replay it.
> That's nearly always something I'd think of way down the line, as a
> "wouldn't it be nice if I could get the user to send me a reproducible
> test case" or something like that. And of course it's just a matter of
> switching the underlying RNG at that point.
>
> None of this is hard. But once again, I'm currently using the module
> correctly, as documented.

No one in this thread is accusing everyone of using the module
incorrectly. The fact that you do use it correctly is a testament to
the fact that you read the docs carefully and have some level of
experience with the module to know that you're using it correctly.

> I've omitted most of the rest of your response largely because we're
> probably just going to have to agree to differ. I'm probably too worn
> out being annoyed at the way that everything ends up needing to be
> security related, and the needs of people who won't read the docs
> determines API design, to respond clearly and rationally :-(

I think the people Theo, Donald, and others (including myself) are
worried about are the people who have used some book or online
tutorial to write games in Python and have seen random.random() or
random.choice() used. Later on they start working on something else
(including but not limited to the examples of what Donald has
otherwise pointed out). They also have enough experience with the
random module to know it produced randomness (what kind, they don't
know... in fact they probably don't know there are different kinds
yet) and they use what they know because Python has batteries included
and they're awesome and easy to use. The reality is that past
experiences bias current decisions. If that person went and read the
docs, they probably won't know if what they're doing warrants using a
CSPRNG instead of the default Python one. If they're not willing to
learn, or read enough (and I stress enough) (or just really don't have
the time because this is a side project) about the topic before making
a decision, they'll say "Well the module level functions seemed random
enough to me, so I'll just use those". That could end up being rather
awful for them.

The reality is that your past experiences (and other people's past
experiences, especially those who refuse to do some research and are
demanding others prove that these are insecure with examples) are
biasing this discussion because they fail to empathize with new users
whose past experiences are coloring their decisions.

People choose Python for a variety of reasons, and one of those
reasons is that in their past experience it was "fast enough" to be an
acceptable choice. This is how most people behave. Being angry at
people for reading a two sentence long warning in the middle of the
docs isn't helping anyone or arguing the validity of this discussion.