Re: [Python-Dev] PEP 506 secrets module

On 15 April 2016 at 19:39, Victor Stinner wrote: > Hi, > > Would it make sense to add a function to generate a random UUID4 (as a > string) in secrets? > > The current implement in uuid.py of CPython 3.6 already uses os.urandom(): > > def uuid4(): > """Generate a

Re: [Python-Dev] PEP 506 secrets module

Hi, Would it make sense to add a function to generate a random UUID4 (as a string) in secrets? The current implement in uuid.py of CPython 3.6 already uses os.urandom(): def uuid4(): """Generate a random UUID.""" return UUID(bytes=os.urandom(16), version=4) Victor

Re: [Python-Dev] PEP 506 secrets module

On 04/11/2016 11:35 AM, Guido van Rossum wrote: Most excellent! PEP 506 is hereby approved. Congrats again. Congratulations, Steven! -- ~Ethan~ ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev

Re: [Python-Dev] PEP 506 secrets module

Most excellent! PEP 506 is hereby approved. Congrats again. On Mon, Apr 11, 2016 at 10:50 AM, Steven D'Aprano wrote: > On Sun, Apr 10, 2016 at 11:43:08AM -0700, Guido van Rossum wrote: >> Hi Steven, >> >> No probIem with the delay -- it's still before 3.6.0. I do think it's

Re: [Python-Dev] PEP 506 secrets module

On Sun, Apr 10, 2016 at 11:43:08AM -0700, Guido van Rossum wrote: > Hi Steven, > > No probIem with the delay -- it's still before 3.6.0. I do think it's > just about a record gap in the PEP review process. :-) > > I will approve the PEP as soon as you've updated the two function > names in the

Re: [Python-Dev] PEP 506 secrets module

> On Apr 10, 2016, at 11:43 AM, Guido van Rossum wrote: > > I will approve the PEP as soon as you've updated the two function > names in the PEP. Congratulations Steven. Raymond ___ Python-Dev mailing list Python-Dev@python.org

Re: [Python-Dev] PEP 506 secrets module

Hi Steven, No probIem with the delay -- it's still before 3.6.0. I do think it's just about a record gap in the PEP review process. :-) I will approve the PEP as soon as you've updated the two function names in the PEP. (If you don't have write access to the peps repo, send the new version to

Re: [Python-Dev] PEP 506 secrets module

I've just spotted this email from Guido, sorry about the delay in responding. Further comments below. On Thu, Jan 14, 2016 at 10:47:09AM -0800, Guido van Rossum wrote: > I think the discussion petered out and nobody asked me to approve it yet > (or I lost track of it). I'm almost happy to

Re: [Python-Dev] PEP 506 secrets module

I noticed an article about default rand usage in Go from the Go Weekly newsletter and it reminded me about PEP 506 and the secrets module. That's when I noticed that the PEP is still open. What is the current blocker on the

Re: [Python-Dev] PEP 506 secrets module

I think the discussion petered out and nobody asked me to approve it yet (or I lost track of it). I'm almost happy to approve it in the current state. My only quibble is with some naming -- I'm not sure that a super-generic name like 'equal' is better than the original ('compare_digest'), and I

Re: [Python-Dev] PEP 506 secrets module

On 16 October 2015 at 12:04, Steven D'Aprano wrote: > On Fri, Oct 16, 2015 at 08:57:24AM +0200, Victor Stinner wrote: >> I don't like the idea how having two functions doing *almost* the same >> thing: randint() and randrange(). There is a risk that these functions >> will be

Re: [Python-Dev] PEP 506 secrets module

2015-10-20 11:11 GMT+02:00 Nick Coghlan : > Folks wanting to simulate die rolls should be using the random module > rather than the secrets module anyway, Hum, why? Dices are used in Casino where security matters because it costs money. A bad API can be more likely misused

Re: [Python-Dev] PEP 506 secrets module

On 20 October 2015 at 11:33, Victor Stinner wrote: > 2015-10-20 11:11 GMT+02:00 Nick Coghlan : >> Folks wanting to simulate die rolls should be using the random module >> rather than the secrets module anyway, > > Hum, why? Dices are used in Casino

Re: [Python-Dev] PEP 506 secrets module

Yes, randrange(n) does that. --Guido (mobile) On Oct 17, 2015 2:28 PM, "Brian Gladman" wrote: > > Guido van Rossum wrote: > > > I'm fine with dropping the 3rd arg. But I find the argument to > > introduce a new spelling for 1-arg randrange() weak. > > I should stress that

Re: [Python-Dev] PEP 506 secrets module

OK, so just randbelow() then. --Guido (mobile) On Oct 17, 2015 2:13 PM, "Tim Peters" wrote: > [Steven D'Aprano] > >> ... > >> I think it is fair to say that out of the three functions, there is > >> consensus that randbelow has the most useful functionality in a crypto >

Re: [Python-Dev] PEP 506 secrets module

Brian Gladman writes: >> On Sat, Oct 17, 2015 at 03:26:46AM +1100, Steven D'Aprano wrote: > I hence support your conclusion that the module should offer randbelow > alone. I would oppose offering randomrange (or offering more than one > of them) since this will pretty

Re: [Python-Dev] PEP 506 secrets module

On Sat, Oct 17, 2015 at 03:26:46AM +1100, Steven D'Aprano wrote: > On Fri, Oct 16, 2015 at 06:35:14PM +0300, Serhiy Storchaka wrote: > > > I suggest to add only randrange(). randint() is historical artefact, we > > shouldn't repeat this mistake in new module. The secrets module is not > > good

Re: [Python-Dev] PEP 506 secrets module

On Sat, Oct 17, 2015 at 2:50 AM, Steven D'Aprano wrote: > [...] > So you can see there is nothing even close to consensus as to which API > is best, which is an argument for keeping all three functions. > No, that's not how we do it in Python. :-) > But significanly, only

Re: [Python-Dev] PEP 506 secrets module

Guido van Rossum writes: > On Sat, Oct 17, 2015 at 2:50 AM, Steven D'Aprano > wrote: > > [...] > So you can see there is nothing even close to consensus as to > which API > is best, which is an argument for keeping all three functions. > >

Re: [Python-Dev] PEP 506 secrets module

> On Sat, Oct 17, 2015 at 03:26:46AM +1100, Steven D'Aprano wrote: [snip] > But significanly, only *one* of the commenters has claimed to have > any significant experience in crypto work, and I will quote him: I didn't specifically claim the experience you requested in responding to your post on

Re: [Python-Dev] PEP 506 secrets module

[Steven D'Aprano] >> ... >> I think it is fair to say that out of the three functions, there is >> consensus that randbelow has the most useful functionality in a crypto >> context. Otherwise, people seem roughly equally split between the three >> functions. There doesn't seem to be any use-case

[Python-Dev] PEP 506 secrets module

> Guido van Rossum wrote: > I'm fine with dropping the 3rd arg. But I find the argument to > introduce a new spelling for 1-arg randrange() weak. I should stress that my preference for randbelow over randrange was based purely on their proposed functionality and not on their names. I do however

Re: [Python-Dev] PEP 506 secrets module

Single-argument randrange(n) is the same as randbelow(n), right? I don't see any reason to have randbelow() if that's true. On Fri, Oct 16, 2015 at 11:29 AM, Serhiy Storchaka wrote: > On 16.10.15 19:26, Steven D'Aprano wrote: > >> On Fri, Oct 16, 2015 at 06:35:14PM +0300,

Re: [Python-Dev] PEP 506 secrets module

On 16.10.15 19:26, Steven D'Aprano wrote: On Fri, Oct 16, 2015 at 06:35:14PM +0300, Serhiy Storchaka wrote: I suggest to add only randrange(). randint() is historical artefact, we shouldn't repeat this mistake in new module. The secrets module is not good way to generate dice rolls. In most

Re: [Python-Dev] PEP 506 secrets module

Hi, I like the PEP. IMHO it's a better solution than using a CPRNG for random by default. I suggest to raise an error if token_bytes(n) if calls with n < 16 bytes (128 bits). Well, I'm not sure that 16 is the good compromise between performance and security, but we must enforce users to use a

Re: [Python-Dev] PEP 506 secrets module

On Fri, Oct 16, 2015 at 9:04 PM, Steven D'Aprano wrote: > On Fri, Oct 16, 2015 at 08:57:24AM +0200, Victor Stinner wrote: >> Hi, >> >> I like the PEP. IMHO it's a better solution than using a CPRNG for >> random by default. >> >> I suggest to raise an error if token_bytes(n)

Re: [Python-Dev] PEP 506 secrets module

On Fri, Oct 16, 2015 at 08:57:24AM +0200, Victor Stinner wrote: > Hi, > > I like the PEP. IMHO it's a better solution than using a CPRNG for > random by default. > > I suggest to raise an error if token_bytes(n) if calls with n < 16 > bytes (128 bits). Well, I'm not sure that 16 is the good

Re: [Python-Dev] PEP 506 secrets module

On 16.10.15 09:57, Victor Stinner wrote: I suggest to raise an error if token_bytes(n) if calls with n < 16 bytes (128 bits). Well, I'm not sure that 16 is the good compromise between performance and security, but we must enforce users to use a minimum number of bits of entropy. token_bytes(1)

Re: [Python-Dev] PEP 506 secrets module

On Fri, Oct 16, 2015 at 06:35:14PM +0300, Serhiy Storchaka wrote: > I suggest to add only randrange(). randint() is historical artefact, we > shouldn't repeat this mistake in new module. The secrets module is not > good way to generate dice rolls. In most other cases you need to > generate

[Python-Dev] PEP 506 secrets module

Hi, As extensively discussed on Python-Ideas, the secrets module and PEP 506 is (I hope) ready for pronouncement. https://www.python.org/dev/peps/pep-0506/ There is code and tests here: https://bitbucket.org/sdaprano/secrets or you can run hg clone

Re: [Python-Dev] PEP 506 secrets module

On Thu, Oct 15, 2015 at 5:57 PM, Steven D'Aprano wrote: > Hi, > > As extensively discussed on Python-Ideas, the secrets module and PEP 506 > is (I hope) ready for pronouncement. > > https://www.python.org/dev/peps/pep-0506/ {{{ Comparison To Other Languages [...] Javascript