[Python-ideas] PEP 506 (secrets module) and token functions

Nick Coghlan ncoghlan at gmail.com
Sun Sep 27 15:35:33 CEST 2015

On 27 September 2015 at 00:04, Chris Angelico <rosuav at gmail.com> wrote:
> Can you adequately define "secure enough" across all purposes? If so,
> I would support that. The precise number would never be documented
> specifically (if you want to know what your version does, try it
> interactively), and then it can indeed be changed in 3.6.3 - or even
> without a version number bump at all (in ten years' time, Red Hat
> might choose to continue shipping CPython 3.6.1, but change the
> default entropy value).

We backported PEP 466 with its "the default SSL context settings may
change in maintenance releases" behaviour to the Python 2.7.5 based
system Python in RHEL 7.2, so I expect we'd be OK with backporting
changes to default entropy settings in the secrets module.

The default settings in the system provided OpenSSL have also long
been subject to change (that's one of the reasons CPython defaults to
dynamically linking to OpenSSL on *nix systems).


Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Python-ideas mailing list