[Security-sig] Take a decision for os.urandom() in Python 3.6

Nick Coghlan ncoghlan at gmail.com
Mon Aug 8 00:22:47 EDT 2016

On 8 August 2016 at 13:32, Nick Coghlan <ncoghlan at gmail.com> wrote:

> The Fedora Rawhide experiment I'm proposing in that email to the Fedora
> Python list should give us the data we (Fedora) need to decide whether or
> not this is one of those cases where it makes sense for us to carry a patch
> - if we get zero hits from the exception in ABRT, then it means the default
> blocking behaviour should be relatively safe (since people won't be
> encountering it), so we can drop the patch before the F26 Beta release, and
> Guido will have a solid data point backing up his design instincts. If we
> *do* get hits on the exception, then exactly what we do will depend on the
> nature of those hits, and in particular whether or not the change is
> helping folks find misconfigured Fedora environments they hadn't previously
> noticed, or if they're spurious notifications in situations where just
> blocking for a few hundred milliseconds would have resolved the problem on
> its own (as tested by inserting a "python -c 'import os; os.getrandom(1)"
> before whatever application startup is triggering the new exception).

I started thinking a bit more about the outcomes we'd be looking for from
such an experiment [1], and that reminded of the fact we could potentially
do that with a much lower level of divergence if the upstream
implementation issued a runtime warning when it needed to fall back to
blocking behaviour. That is, rather that just calling "getrandom(size, 0)"
unconditionally, the current logic for trying "getrandom(size,
GRND_NONBLOCK)" first could be kept, and only the fallback to reading from
"/dev/random/" changed to instead call "getrandom(size, 0)" with a
preceding call to PyErr_Warn.

That warning on its own would address almost all my lingering concerns with
the implicit blocking approach, since Python's normal warning control
machinery can be used to turn it into an exception if that's the desired
behaviour in a given context, and the only policy decision distros would
need to make for their system Python is whether they treat that warning as
an error by default or not.



Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/security-sig/attachments/20160808/cf679dbc/attachment.html>

More information about the Security-SIG mailing list