Nick Coghlan added the comment:
With the 3.6 os.urandom() implementation doing the right thing consistently
cross-platform, our guidance for folks that care about the quality of the
CSPRNG they use should be that they either upgrade to that version, or else
ensure that the kernel CSPRNG is properly seeded before they run Python.
That is, I think the tone we're aiming for in the older docs now should be
"You're using an older Python version, so if this problem description worries
you, you need to either upgrade or else take the necessary steps to satisfy
yourself that your host system's CSPRNG is properly configured", rather than
the more passive "os.urandom() isn't necessarily secure" (with minimal guidance
on what to do about it) that we've previously adopted.
Python tracker <rep...@bugs.python.org>
Python-bugs-list mailing list