[Python-ideas] PEP 504: Using the system RNG by default

Guido van Rossum guido at python.org
Tue Sep 15 20:21:20 CEST 2015

On Tue, Sep 15, 2015 at 10:50 AM, Donald Stufft <donald at stufft.io> wrote:

> On September 15, 2015 at 1:34:56 PM, Guido van Rossum (guido at python.org)
> wrote:
> > > I am fine with adding more secure ways of generating random numbers.
> > But we already have random.SystemRandom(), so there doesn’t
> > seem to be a hurry?
> The problem isn't so much that there isn't a way of securely generating
> random
> numbers, but that the module, as it is right now, guides you towards using
> an
> insecure source of random numbers rather than a secure one. This means that
> unless you're familar with the random module or reading the online
> documentation you don't really have any idea that ``random.random()`` isn't
> secure. This is an attractive nuisance for anyone who *doesn't* need
> deterministic output from their random numbers and leads to situations
> where
> people are incorrectly using MT when they should be using SystemRandom
> because
> they don't know any better.

That feels condescending, as does the assumption that (almost) every naive
use of randomness is somehow a security vulnerability. The concept of
secure vs. insecure sources of randomness isn't *that* hard to grasp.

--Guido van Rossum (python.org/~guido)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20150915/9cb2706e/attachment.html>

More information about the Python-ideas mailing list