> On Jun 23, 2016, at 8:48 AM, Barry Warsaw <ba...@python.org> wrote:
> 
> On Jun 22, 2016, at 06:31 PM, Nick Coghlan wrote:
> 
>>   try:
>>       my_random = os.getrandom
>>   except AttributeError:
>>       my_random = os.urandom
> 
> Once Python 3.6 is widely available, and/or secrets is backported and
> available on PyPI, why would you ever do that rather than just get the best
> source of randomness out of the secrets module?

Because projects are likely going to be supporting things other than 3.6 for
a very long time. The “typical” support matrix for a project on PyPI currently
looks roughly like 2.6, 2.7, and 3.3+. We’re seeing some projects dropping 2.6
finally on PyPI but it’s still a major source of downloads and 2.7 itself is
still ~86% of downloads initiated by pip across all of PyPI. There is the idea
of a secrets module back port on PyPI, but without adding C code to that it’s
going to basically just do the same thing as that try … except and if the 
secrets
backport requires C I think you won’t get a very large uptick since os.urandom
exists already and the issues are subtle enough that I don’t think most people
are going to grok them immediately and will just automatically avoid a C
dependency where they don’t immediately see the need for one.

Even if we pretend that 3.6+ only is something that’s going to happen in 
anything
approaching a short timeline, we’re still going to be fighting against the tide
for what the vast bulk of documentation out there states to do. So not only do 
we
need to wait it out for pre 3.6 to die out, but we also need to wait it out for
the copious amounts of third party documentation out there telling people to 
just
use os.urandom dies.

And even in the future, once we get to a 3.6+ only world, os.urandom and the
try .. except shim will still “work” for all anyone can tell (since the failure
mode on os.urandom itself is practically silent in every way imaginable) so 
unless
they already know about this issue and go out of their way to switch over to the
secrets module, they’re likely to continue using something in the os module for
a long time.

IOW, I think secrets is great, but I think it mostly helps new code written
targeting 3.6+ only, rather than being a solution for the vast bulk of software
already out there or which doesn’t yet exist but is going to support older 
things
than 3.6.


—
Donald Stufft



_______________________________________________
Security-SIG mailing list
Security-SIG@python.org
https://mail.python.org/mailman/listinfo/security-sig

Reply via email to