Le 6 août 2016 04:39, "Guido van Rossum" <[email protected]> a écrit : > 4. Bad code gets cargo-culted (e.g. through StackOverflow).
> Re (4): With PEP 524, people worried about blocking may be driven to > unnecessarily write more complicated code using os.getrandom(). With > PEP 522, people worried about crashes may be driven to unnecessarily > call secrets.wait_for_system_rng() or put try/except blocks catching > raise BlockingIOError around all their os.urandom()-based calls. What can we do to reduce this issue? Promote the best recipes in the documentation of the random and/or secrets module? Add Nick's secrets.wait_for_system_rng()? I have to confess that I don't like my own examples :-) I wrote them to show that you can reimplement the PEP 522 use cases and examples in a few lines. The worst example is "try system urandom, if it would block, use the random module". IMO this use case is artificial. If you need security, the random module must not be used. If you don't need security, why would you take the risk of blocking your application (2) with os.urandom()? Always use the random module no? Victor
_______________________________________________ Security-SIG mailing list [email protected] https://mail.python.org/mailman/listinfo/security-sig
