[Security-sig] Take a decision for os.urandom() in Python 3.6
Victor Stinner
victor.stinner at gmail.com
Sat Aug 6 06:23:45 EDT 2016
An alternative would be to add to my PEP 524 an *optional*
random.SystemRandomNonblock which is basically the PEP 522 (raise if it
would block). "Optional"... or maybe make it always available but block(!)
on some platforms? (Bad idea IMO)
I dislike the idea of adding 2 new functions to generate random in the same
PEP (getrandom, SystemRandomNonblock), it's already hard enough to pick to
right one in Python 3.5...
Victor
Le 6 août 2016 10:46 AM, "Nick Coghlan" <ncoghlan at gmail.com> a écrit :
> On 6 August 2016 at 18:32, Victor Stinner <victor.stinner at gmail.com>
> wrote:
> > Le 6 août 2016 04:39, "Guido van Rossum" <guido at python.org> a écrit :
> >> 4. Bad code gets cargo-culted (e.g. through StackOverflow).
> >
> >> Re (4): With PEP 524, people worried about blocking may be driven to
> >> unnecessarily write more complicated code using os.getrandom(). With
> >> PEP 522, people worried about crashes may be driven to unnecessarily
> >> call secrets.wait_for_system_rng() or put try/except blocks catching
> >> raise BlockingIOError around all their os.urandom()-based calls.
> >
> > What can we do to reduce this issue? Promote the best recipes in the
> > documentation of the random and/or secrets module? Add Nick's
> > secrets.wait_for_system_rng()?
>
> At the moment, PEP 522 doesn't propose making the secrets API block
> implicitly. I was already starting to have doubts about that, and
> given Guido's feedback, I think I should change it so that it does.
>
> That would give the following overall outcome:
>
> - the random APIs will never block (but shouldn't be used for secrets)
> - the secrets APIs will block if they need to (including
> secrets.wait_for_system_rng())
> - os.urandom() may raise BlockingIOError if you don't wait for the
> system RNG first
> - random.SystemRandom() may raise BlockingIOError if you don't wait
> for the system RNG first
>
> And if in the latter two cases someone is directed to the secrets
> module to wait for the system RNG to be ready (e.g. in the error
> message we raise), they may find that secrets offers a higher level
> API for whatever they were trying to do anyway.
>
> Meanwhile, folks that want to do something other than block if the
> system RNG isn't ready (like log potentially relevant details of the
> system encountering the lack of entropy) can just catch
> BlockingIOError, rather than needing to use platform specific APIs
> like os.getrandom().
>
> Cheers,
> Nick.
>
> --
> Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/security-sig/attachments/20160806/57eea1d8/attachment-0001.html>
More information about the Security-SIG
mailing list