> On Jun 23, 2016, at 8:48 AM, Barry Warsaw <ba...@python.org> wrote: > > On Jun 22, 2016, at 06:31 PM, Nick Coghlan wrote: > >> try: >> my_random = os.getrandom >> except AttributeError: >> my_random = os.urandom > > Once Python 3.6 is widely available, and/or secrets is backported and > available on PyPI, why would you ever do that rather than just get the best > source of randomness out of the secrets module?
Because projects are likely going to be supporting things other than 3.6 for a very long time. The “typical” support matrix for a project on PyPI currently looks roughly like 2.6, 2.7, and 3.3+. We’re seeing some projects dropping 2.6 finally on PyPI but it’s still a major source of downloads and 2.7 itself is still ~86% of downloads initiated by pip across all of PyPI. There is the idea of a secrets module back port on PyPI, but without adding C code to that it’s going to basically just do the same thing as that try … except and if the secrets backport requires C I think you won’t get a very large uptick since os.urandom exists already and the issues are subtle enough that I don’t think most people are going to grok them immediately and will just automatically avoid a C dependency where they don’t immediately see the need for one. Even if we pretend that 3.6+ only is something that’s going to happen in anything approaching a short timeline, we’re still going to be fighting against the tide for what the vast bulk of documentation out there states to do. So not only do we need to wait it out for pre 3.6 to die out, but we also need to wait it out for the copious amounts of third party documentation out there telling people to just use os.urandom dies. And even in the future, once we get to a 3.6+ only world, os.urandom and the try .. except shim will still “work” for all anyone can tell (since the failure mode on os.urandom itself is practically silent in every way imaginable) so unless they already know about this issue and go out of their way to switch over to the secrets module, they’re likely to continue using something in the os module for a long time. IOW, I think secrets is great, but I think it mostly helps new code written targeting 3.6+ only, rather than being a solution for the vast bulk of software already out there or which doesn’t yet exist but is going to support older things than 3.6. — Donald Stufft _______________________________________________ Security-SIG mailing list Security-SIG@python.org https://mail.python.org/mailman/listinfo/security-sig
