Cory Benfield added the comment:

This patch explicitly violates several of the documented constraints of the 
Python standard library.

For example, random.SystemRandom uses os.urandom to generate its random 
numbers. SystemRandom is then used by the secrets module to generate *its* 
random numbers. This means that os.urandom *is* explicitly used by the Python 
standard library to generate cryptographically secure random numbers. It was 
done so in part expressly because the call to random() could block.

If Python needs a non-blocking RNG for internal purposes, that's totally fine, 
a new function should be written that does exactly that. But any code that is 
calling secrets or random.SystemRandom is expecting the documented guarantees 
of that module: that is, that the security profile of the random numbers 
generated by those objects are cryptographically secure. This patch ensures 
that that guarantee is *violated* on Linux systems run on cloud servers, which 
is more than a little alarming to me.

----------
nosy: +Lukasa

_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue26839>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to