[issue16190] Misleading warning in random module docs
Changes by Donald Stufft donald.stu...@gmail.com: -- nosy: +dstufft ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16190 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16190] Misleading warning in random module docs
Antoine Pitrou added the comment: Done. -- resolution: - fixed stage: needs patch - committed/rejected status: open - closed versions: -Python 3.2 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16190 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16190] Misleading warning in random module docs
Roundup Robot added the comment: New changeset 9df0501fab35 by Antoine Pitrou in branch '3.3': Issue #16190: fix random module recommendation to use ssl.RAND_bytes(). http://hg.python.org/cpython/rev/9df0501fab35 New changeset 04b50a1eb013 by Antoine Pitrou in branch 'default': Issue #16190: fix random module recommendation to use ssl.RAND_bytes(). http://hg.python.org/cpython/rev/04b50a1eb013 New changeset 48b618a9ad10 by Antoine Pitrou in branch '2.7': Issue #16190: fix random module recommendation to use ssl.RAND_bytes(). http://hg.python.org/cpython/rev/48b618a9ad10 -- nosy: +python-dev ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16190 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16190] Misleading warning in random module docs
STINNER Victor added the comment: Why did you remove reference to ssl.RAND_bytes() on Python 3.3 from the notice? -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16190 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16190] Misleading warning in random module docs
Antoine Pitrou added the comment: As far as I understand, os.urandom() is fine for the task. There's no point in mentioning ssl.RAND_bytes() just because it exists, IMO. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16190 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16190] Misleading warning in random module docs
Christian Heimes added the comment: Thomas H. Ptacek pointed me to a good explanation: http://security.stackexchange.com/a/3939 TL;DR: Just use /dev/urandom and be happy. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16190 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16190] Misleading warning in random module docs
Antoine Pitrou added the comment: Agreed with a re-wording. -- nosy: +pitrou ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16190 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16190] Misleading warning in random module docs
Changes by George Peristerakis peristera...@gmail.com: -- nosy: -George.Peristerakis ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16190 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16190] Misleading warning in random module docs
Changes by George Peristerakis peristera...@gmail.com: -- nosy: +George.Peristerakis ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16190 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16190] Misleading warning in random module docs
Changes by Raymond Hettinger raymond.hettin...@gmail.com: -- assignee: docs@python - rhettinger components: +Documentation nosy: +rhettinger priority: normal - low ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16190 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16190] Misleading warning in random module docs
Changes by Ezio Melotti ezio.melo...@gmail.com: -- nosy: +ezio.melotti, haypo stage: - needs patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16190 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16190] Misleading warning in random module docs
STINNER Victor added the comment: See also the issue #15213 (and the issue #12754). -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16190 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16190] Misleading warning in random module docs
New submission from Christian Heimes: The documentation [1] of the random module contains a misleading warning --- Warning: The generators of the random module should not be used for security purposes. Use ssl.RAND_bytes() if you require a cryptographically secure pseudorandom number generator. --- The warning should point users to os.urandom() and random.SystemRandom rather than ssl.RAND_bytes(). On Linux os.urandom() wraps /dev/urandom [2], on Windows it uses CryptGenRandom() [3]. Both are suitable for most cryptographic purposes except for long-lived keys (SSL, SSH, GPG certs etc.). ssl.RAND_bytes() should only be used for such long-lived data and not for salts, session ids and similar. I like to see the warning box in Python 2.7, too. It's still the default for docs.python.org. My inquiry is motivated by #16184. [1] http://docs.python.org/py3k/library/random.html [2] http://linux.die.net/man/4/urandom [3] http://msdn.microsoft.com/en-us/library/windows/desktop/aa379942%28v=vs.85%29.aspx -- assignee: docs@python messages: 172589 nosy: christian.heimes, docs@python priority: normal severity: normal status: open title: Misleading warning in random module docs type: security versions: Python 2.7, Python 3.2, Python 3.3, Python 3.4 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16190 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16190] Misleading warning in random module docs
Georg Brandl added the comment: Sure, I'd propose a rewording that mentions both alternatives and when they should be used. -- nosy: +georg.brandl ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16190 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com