Title: Raise BlockingIOError in os.urandom if kernel is not ready
Type: enhancement Stage: needs patch
Components: Versions: Python 3.6
Status: closed Resolution: rejected
Dependencies: Superseder:
Assigned To: Nosy List: ncoghlan, vstinner
Priority: normal Keywords:

Created on 2016-06-09 17:14 by ncoghlan, last changed 2016-09-20 21:57 by vstinner. This issue is now closed.

Messages (4)
msg268041 - (view) Author: Nick Coghlan (ncoghlan) * (Python committer) Date: 2016-06-09 17:14
This proposal competes directly with #27250, #27266, and #27279 as possible long term solutions to the Linux/systemd os.urandom deadlock bug described in #26839

Rather than adding new APIs, or making os.urandom potentially blocking on Linux (as it was in 3.5.0 and 3.5.1), it instead proposes that os.urandom immediately raise BlockingIOError if the kernel entropy pool has not yet been initialised.

This behaviour will mean that users attempting to gather strong entropy too early in the Linux boot process will fail rather than block, so affected scripts and programs can readily fall back to reading from /dev/urandom or using the random module APIs if they don't need cryptographically strong random data. Scripts that do need cryptographically strong random data can either poll os.urandom until it succeeds, or else fail explicitly and let their caller resolve the problem.
msg268042 - (view) Author: Donald Stufft (dstufft) * (Python committer) Date: 2016-06-09 17:16
This proposal is reasonable to me and solves any problems I have with the default behavior of os.urandom.
msg268044 - (view) Author: Nick Coghlan (ncoghlan) * (Python committer) Date: 2016-06-09 17:24

The key advantage the BlockingIOError model offers is that it's trivial to build a blocking version as a busy loop around the non-blocking version:

    def urandom_wait_for_entropy(num_bytes):
        while True:
                return os.urandom(num_bytes)
            except BlockingIOError:

And if you ignore the problem and just call os.urandom(), you'll almost certainly be fine unless you're working with Linux boot scripts or embedded ARM devices (in which case, this point will be minor compared to the other arcana you're dealing with).
msg277075 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2016-09-20 21:57
This idea is the PEP 522 which was superseded by the PEP 524 (accepted in Python 3.6) which proposed to make os.urandom() blocking.
Date User Action Args
2016-09-20 21:57:19vstinnersetstatus: open -> closed

nosy: + vstinner
messages: + msg277075

resolution: rejected
2016-06-16 13:27:05dstufftsetnosy: - dstufft
2016-06-09 17:24:13ncoghlansetmessages: + msg268044
2016-06-09 17:16:33dstufftsetnosy: + dstufft
messages: + msg268042
2016-06-09 17:14:31ncoghlancreate