This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author christian.heimes
Recipients christian.heimes, docs@python
Date 2012-10-10.16:13:10
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1349885590.41.0.193272073786.issue16190@psf.upfronthosting.co.za>
In-reply-to
Content 
The documentation [1] of the random module contains a misleading warning 

---
Warning: The generators of the random module should not be used for security purposes. Use ssl.RAND_bytes() if you require a cryptographically secure pseudorandom number generator.
---

The warning should point users to os.urandom() and random.SystemRandom rather than ssl.RAND_bytes(). On Linux os.urandom() wraps /dev/urandom [2], on Windows it uses CryptGenRandom() [3]. Both are suitable for most cryptographic purposes except for long-lived keys (SSL, SSH, GPG certs etc.). ssl.RAND_bytes() should only be used for such long-lived data and not for salts, session ids and similar.

I like to see the warning box in Python 2.7, too. It's still the default for docs.python.org. My inquiry is motivated by #16184.

[1] http://docs.python.org/py3k/library/random.html
[2] http://linux.die.net/man/4/urandom
[3] http://msdn.microsoft.com/en-us/library/windows/desktop/aa379942%28v=vs.85%29.aspx
History
Date User Action Args
2012-10-10 16:13:10christian.heimessetrecipients: + christian.heimes, docs@python
2012-10-10 16:13:10christian.heimessetmessageid: <1349885590.41.0.193272073786.issue16190@psf.upfronthosting.co.za>
2012-10-10 16:13:10christian.heimeslinkissue16190 messages
2012-10-10 16:13:10christian.heimescreate