[Python-ideas] Python's Source of Randomness and the random.py module Redux

Tue Sep 15 02:04:19 CEST 2015

On 15 September 2015 at 01:32, Ian Cordasco <graffatcolmingov at gmail.com> wrote:
> On Mon, Sep 14, 2015 at 10:01 AM, Paul Moore <p.f.moore at gmail.com> wrote:
>> On 14 September 2015 at 14:29, Cory Benfield <cory at lukasa.co.uk> wrote:
>>> Is your argument that there are lots of ways to get security wrong,
>>> and for that reason we shouldn't try to fix any of them?
>>
>> This debate seems to repeatedly degenerate into this type of accusation.
>>
>> Why is backward compatibility not being taken into account here? To be
>> clear, the proposed change *breaks backward compatibility* and while
>> that's allowed in 3.6, just because it is allowed, doesn't mean we
>> have free rein to break compatibility - any change needs a good
>> justification. The arguments presented here are valid up to a point,
>> but every time anyone tries to suggest a weak area in the argument,
>> the "we should fix security issues" trump card gets pulled out.
>>
>> For example, as this is a compatibility break, it'll only be allowed
>> into 3.6+ (I've not seen anyone suggest that this is sufficiently
>> serious to warrant breaking compatibility on older versions). Almost
>> all of those SO questions, and google hits, are probably going to be
>> referenced by people who are using 2.7, or maybe some version of 3.x
>> earlier than 3.6 (at what stage do we allow for the possibility of 3.x
>> users who are *not* on the latest release?) So is a solution which
>> won't impact most of the people making the mistake, worth it?
>
> So people who are arguing that the defaults shouldn't be fixed on
> Python 2.7 are likely the same people who also argued that PEP 466 was
> a terrible, awful, end-of-the-world type change. Yes it broke things
> (like eventlet) but the net benefit for users who can get onto Python
> 2.7.9 (and later) is immense.

They don't even have to get onto 2.7.9 per se - the RHEL 7.2 beta just
shipped with Robert Kuska's backport of those changes (minus the
eventlet breaking internal API change), so it will also filter out
through the RHEL/CentOS ecosystem via 7.x and SCLs. (We also looked at
a Python 2.6 backport, but decided it was too much work for not enough
benefit - folks really need to just upgrade to RHEL/CentOS 7 already,
or at least switch to using Software Collections for their Python
runtime needs).

Regards,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia