[Python-ideas] PEP 504: Using the system RNG by default

David Mertz mertz at gnosis.cx
Wed Sep 16 06:27:41 CEST 2015

On Sep 15, 2015 7:23 PM, "Stephen J. Turnbull" <stephen at xemacs.org> wrote:
> A pseudo-randomly selected recent quote:
>  > It would never occur to me to reach for the random module if I want
>  > to do cryptography.

> That doesn't mean that security has to be #1 always and everywhere in
> designing Python, but I find it pretty distressing that apparently a
> lot of people either don't understand or don't care about what's at
> stake in these kinds of decisions *for the rest of the world*.
> The reality is that security that is not on by default is not
> secure.  Any break in a dike can flood a whole town.

This feels somewhere between disingenuous and dishonest. Just like I don't
use the random module for cryptography, I also don't use the socket module
or the threading module for cryptography.

Could a program dealing with sockets have security issues?! Very likely!
Could a multithreaded one expose vulnerabilities? Certainly!

Should we try to "secure" these modules for users who don't need to our
don't know to think about security? Absolutely not!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20150915/e9b59efe/attachment.html>

More information about the Python-ideas mailing list