[Python-ideas] PEP 504: Using the system RNG by default

Donald Stufft donald at stufft.io
Wed Sep 16 18:09:15 CEST 2015

On September 16, 2015 at 11:55:48 AM, Steven D'Aprano (steve at pearwood.info) wrote:
> - We add at least one CSPRNG. I leave it to the crypto-wonks to decide
> which.

We already have a CSPRNG via os.urandom, and importantly we don't have to
decide which implementation it is, because the OS provides it and is
responsible for it. I am against adding a userspace CSPRNG as anything but a
possible implementation detail of making a CSPRNG the default for random.py. If
we're not going to change the default, then I think adding a userspace CSPRNG
is jsut adding a different footgun. That's OK though, becuase os.urandom is a
pretty great CSPRNG.

> Developers will still have to make a choice: "do I use secrets, or
> random?" If they're looking for a random token (or password?), the
> answer is obvious: use secrets, because the battery is already there.
> For reasons that I will go into below, I don't think that requiring this
> choice is a bad thing. I think it is a *good* thing.

Forcing the user to make a choice isn’t a bad option from a security point of
view. Most people will prefer to use the secure one by default even if they
don't know better, the problem right now is that there is a "default", and that
default is unsafe so people aren't forced to make a choice, they are given a
choice with the option to go and make a choice later.

Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

More information about the Python-ideas mailing list