New submission from Christian Heimes: The documentation [1] of the random module contains a misleading warning
--- Warning: The generators of the random module should not be used for security purposes. Use ssl.RAND_bytes() if you require a cryptographically secure pseudorandom number generator. --- The warning should point users to os.urandom() and random.SystemRandom rather than ssl.RAND_bytes(). On Linux os.urandom() wraps /dev/urandom [2], on Windows it uses CryptGenRandom() [3]. Both are suitable for most cryptographic purposes except for long-lived keys (SSL, SSH, GPG certs etc.). ssl.RAND_bytes() should only be used for such long-lived data and not for salts, session ids and similar. I like to see the warning box in Python 2.7, too. It's still the default for docs.python.org. My inquiry is motivated by #16184. [1] http://docs.python.org/py3k/library/random.html [2] http://linux.die.net/man/4/urandom [3] http://msdn.microsoft.com/en-us/library/windows/desktop/aa379942%28v=vs.85%29.aspx ---------- assignee: docs@python messages: 172589 nosy: christian.heimes, docs@python priority: normal severity: normal status: open title: Misleading warning in random module docs type: security versions: Python 2.7, Python 3.2, Python 3.3, Python 3.4 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue16190> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
