[Python-ideas] PEP 504: Using the system RNG by default
David Mertz
mertz at gnosis.cx
Wed Sep 16 06:27:41 CEST 2015
On Sep 15, 2015 7:23 PM, "Stephen J. Turnbull" <stephen at xemacs.org> wrote:
>
> A pseudo-randomly selected recent quote:
>
> > It would never occur to me to reach for the random module if I want
> > to do cryptography.
> That doesn't mean that security has to be #1 always and everywhere in
> designing Python, but I find it pretty distressing that apparently a
> lot of people either don't understand or don't care about what's at
> stake in these kinds of decisions *for the rest of the world*.
> The reality is that security that is not on by default is not
> secure. Any break in a dike can flood a whole town.
This feels somewhere between disingenuous and dishonest. Just like I don't
use the random module for cryptography, I also don't use the socket module
or the threading module for cryptography.
Could a program dealing with sockets have security issues?! Very likely!
Could a multithreaded one expose vulnerabilities? Certainly!
Should we try to "secure" these modules for users who don't need to our
don't know to think about security? Absolutely not!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20150915/e9b59efe/attachment.html>
More information about the Python-ideas
mailing list