[Python-ideas] PEP 504: Using the system RNG by default

Donald Stufft donald at stufft.io
Tue Sep 15 19:50:12 CEST 2015

On September 15, 2015 at 1:34:56 PM, Guido van Rossum (guido at python.org) wrote:
> > I am fine with adding more secure ways of generating random numbers.  
> But we already have random.SystemRandom(), so there doesn’t  
> seem to be a hurry?

The problem isn't so much that there isn't a way of securely generating random 
numbers, but that the module, as it is right now, guides you towards using an 
insecure source of random numbers rather than a secure one. This means that
unless you're familar with the random module or reading the online
documentation you don't really have any idea that ``random.random()`` isn't
secure. This is an attractive nuisance for anyone who *doesn't* need
deterministic output from their random numbers and leads to situations where
people are incorrectly using MT when they should be using SystemRandom because
they don't know any better.

Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

More information about the Python-ideas mailing list