This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author vstinner
Recipients Colm Buckley, Lukasa, alex, doko, dstufft, larry, lemburg, martin.panter, matejcik, ned.deily, python-dev, rhettinger, skrah, thomas-petazzoni, vstinner, ztane
Date 2016-06-07.11:53:19
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
In-reply-to <>
Cory Benfield: "For example, random.SystemRandom uses os.urandom to
generate its random numbers. SystemRandom is then used by the secrets
module to generate *its* random numbers. This means that os.urandom
*is* explicitly used by the Python standard library to generate
cryptographically secure random numbers. It was done so in part
expressly because the call to random() could block."

IMHO you should read which
explains that the property of blocking or not blocking doesn't matter
for the quality of the RNG. /dev/urandom is good enough to generate
crytographic keys. Can we please stay focused on the *uninitialized
entropy pool* case?

Please see my message:
"Reminder: getrandom() feature is specific to Linux. I understand that
all other operating systems don't warn if the urandom entropy pool is
not initialized yet!"

IMHO you are expecting too much from os.urandom(). *If* you consider
that secrets require an initialized entropy pool, IMHO you should help
Stephan to implement a function to retrieve the implementation of
os.urandom() and then take a decision *in the secrets module*. For
example, raise an exception. It's the best way to warn users that
something goes wrong. I don't think that *blocking* is a good choice.
Date User Action Args
2016-06-07 11:53:20vstinnersetrecipients: + vstinner, lemburg, rhettinger, doko, larry, matejcik, ned.deily, alex, skrah, python-dev, martin.panter, ztane, dstufft, Lukasa, thomas-petazzoni, Colm Buckley
2016-06-07 11:53:20vstinnerlinkissue26839 messages
2016-06-07 11:53:19vstinnercreate