[Python-ideas] Python's Source of Randomness and the random.py module Redux

Paul Moore p.f.moore at gmail.com
Mon Sep 14 17:01:02 CEST 2015

On 14 September 2015 at 14:29, Cory Benfield <cory at lukasa.co.uk> wrote:
> Is your argument that there are lots of ways to get security wrong,
> and for that reason we shouldn't try to fix any of them?

This debate seems to repeatedly degenerate into this type of accusation.

Why is backward compatibility not being taken into account here? To be
clear, the proposed change *breaks backward compatibility* and while
that's allowed in 3.6, just because it is allowed, doesn't mean we
have free rein to break compatibility - any change needs a good
justification. The arguments presented here are valid up to a point,
but every time anyone tries to suggest a weak area in the argument,
the "we should fix security issues" trump card gets pulled out.

For example, as this is a compatibility break, it'll only be allowed
into 3.6+ (I've not seen anyone suggest that this is sufficiently
serious to warrant breaking compatibility on older versions). Almost
all of those SO questions, and google hits, are probably going to be
referenced by people who are using 2.7, or maybe some version of 3.x
earlier than 3.6 (at what stage do we allow for the possibility of 3.x
users who are *not* on the latest release?) So is a solution which
won't impact most of the people making the mistake, worth it?

I fully expect the response to this to be "just because it'll take
time, doesn't mean we should do nothing". Or "even if it just fixes it
for one or two people, it's still worth it". But *that's* the argument
I don't find compelling - not that a fix won't help some situations,
but that because it's security, (a) all the usual trade-off
calculations are irrelevant, and (b) other proposed solutions (such as
education, adding specialised modules like a "shared secret" library,
etc) are off the table.

Honestly, this type of debate doesn't do the security community much
good - there's too little willingness to compromise, and as a result
the more neutral participants (which, frankly, is pretty much anyone
who doesn't have a security agenda to promote) end up pushed into a
"reject everything" stance simply as a reaction to the black and white
argument style.


More information about the Python-ideas mailing list