Message 267819 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	vstinner
Recipients	Colm Buckley, Lukasa, Theodore Tso, alex, christian.heimes, doko, dstufft, larry, lemburg, martin.panter, matejcik, ned.deily, python-dev, rhettinger, skrah, thomas-petazzoni, vstinner, ztane
Date	2016-06-08.09:39:03
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1465378744.6.0.846317155805.issue26839@psf.upfronthosting.co.za>
In-reply-to

Content
no-urandom-by-default.diff uses a very weak source of entropy for random.Random :-( I'm fighting against weak sources of entropy since many years... This change introduces the bug similar to OpenSSL RAND_bytes() bug (two processes with the same pid can produce the same random sequence): two Python processes started "at the same time" (with a resolution of 1/256 sec ~= 3.9 ms) produces the same random sequence. With my script: --- import subprocess, sys args = [sys.executable, '-S', '-c', 'import random; print([random.randint(0, 999) for _ in range(4)])'] numbers = set() procs = [subprocess.Popen(args, stdout=subprocess.PIPE) for _ in range(10)] for proc in procs: stdout = proc.communicate()[0] numbers.add(stdout.rstrip()) for line in numbers: print(line.decode()) print("duplicates", len(procs) - len(numbers)) --- Output: --- [68, 812, 821, 421] [732, 506, 562, 439] [70, 711, 476, 230] [411, 474, 729, 837] [530, 161, 699, 521] [818, 897, 582, 38] [42, 132, 359, 275] [630, 863, 370, 288] [497, 716, 61, 93] duplicates 1 ---

no-urandom-by-default.diff uses a very weak source of entropy for random.Random :-( I'm fighting against weak sources of entropy since many years...

This change introduces the bug similar to OpenSSL RAND_bytes() bug (two processes with the same pid can produce the same random sequence): two Python processes started "at the same time" (with a resolution of 1/256 sec ~= 3.9 ms) produces the same random sequence.

With my script:
---
import subprocess, sys
args = [sys.executable, '-S', '-c', 'import random; print([random.randint(0, 999) for _ in range(4)])']
numbers = set()
procs = [subprocess.Popen(args, stdout=subprocess.PIPE) for _ in range(10)]
for proc in procs:
    stdout = proc.communicate()[0]
    numbers.add(stdout.rstrip())
for line in numbers:
    print(line.decode())
print("duplicates", len(procs) - len(numbers))
---

Output:
---
[68, 812, 821, 421]
[732, 506, 562, 439]
[70, 711, 476, 230]
[411, 474, 729, 837]
[530, 161, 699, 521]
[818, 897, 582, 38]
[42, 132, 359, 275]
[630, 863, 370, 288]
[497, 716, 61, 93]
duplicates 1
---

History
Date	User	Action	Args
2016-06-08 09:39:04	vstinner	set	recipients: + vstinner, lemburg, rhettinger, doko, larry, christian.heimes, matejcik, ned.deily, alex, skrah, python-dev, martin.panter, ztane, dstufft, Lukasa, thomas-petazzoni, Colm Buckley, Theodore Tso
2016-06-08 09:39:04	vstinner	set	messageid: <1465378744.6.0.846317155805.issue26839@psf.upfronthosting.co.za>
2016-06-08 09:39:04	vstinner	link	issue26839 messages
2016-06-08 09:39:03	vstinner	create