Re: [Django] #9687: Use more randomness in secret key generation

Tue, 25 Nov 2008 00:31:05 -0800 

#9687: Use more randomness in secret key generation
-----------------------------------------+----------------------------------
          Reporter:  [EMAIL PROTECTED]  |         Owner:  nobody           
            Status:  closed              |     Milestone:                   
         Component:  Core framework      |       Version:  1.0              
        Resolution:  wontfix             |      Keywords:  SECRET_KEY random
             Stage:  Unreviewed          |     Has_patch:  0                
        Needs_docs:  0                   |   Needs_tests:  0                
Needs_better_patch:  0                   |  
-----------------------------------------+----------------------------------
Comment (by mtredinnick):

 Perhaps you could leave the passive-aggressive attitude and ad hominem
 attachs at home next time. I'm grateful you looked at this and posted a
 patch, but that doesn't make it a slam dunk. Your assertion about our
 understanding isn't correct, primarily because we're not using MD5 hashing
 for cryptographic purposes (we're using the uniform hashing properties).
 For example, #1180 is an example of why PRNG handling has to be done
 carefully and it was a bug that was fixed carefully.

 If you have an actual technical problem with this being closed, feel free
 to raise it in the appropriate way. I closed this because it doesn't
 significantly increase the security of the system. The current key length
 is already long enough to cover the space of generated MD5 digests twice
 over (and using a reduced alphabet makes the unlikely event of generating
 a false pre-image less likely). Changing code just because we can is never
 a goal in software.

 I'm sorry you feel your patch was unfairly rejected, but it's not because
 of the reasons you mention and you're being unfair to myself and others.

-- 
Ticket URL: <http://code.djangoproject.com/ticket/9687#comment:3>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to