[Python-ideas] Python's Source of Randomness and the random.py module Redux
Akira Li
4kir4.1i at gmail.com
Thu Sep 10 20:40:32 CEST 2015
On Thu, Sep 10, 2015 at 9:19 PM, Donald Stufft <donald at stufft.io> wrote:
> On September 10, 2015 at 2:08:46 PM, Akira Li (4kir4.1i at gmail.com) wrote:
> >
> > "security minded folks" [1] recommend "always use os.urandom()" and
> > advise against *random* module [2,3] despite being aware of
> > random.SystemRandom() [4]
> >
> > i.e., if they are right then *random* module probably only need to care
> > about group #1 and avoid creating the false sense of security in group
> #3.
> >
>
> Maybe you didn't notice you’re talking to the third name in the list of
> authors
> that you linked too,
Obviously, I've noticed it but I didn't want to call you out.
but that documentation is there primarily because the
> random module's API is problematic and it's easier to recommend people to
> not
> use it than to try and explain how to use it safely.
>
>
"it's easier to recommend people to not use it than to try and explain how
to use it safely." that is exactly the point
if random.SystemRandom() is not safe to use while being based on "secure"
os.urandom() then providing the same API based on (possibly less secure)
arc4random() won't be any safer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20150910/db226ca4/attachment-0001.html>
More information about the Python-ideas
mailing list