Message 267971 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	lemburg
Recipients	Theodore Tso, christian.heimes, dstufft, larry, lemburg, martin.panter, ncoghlan, vstinner
Date	2016-06-09.07:56:01
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<57592109.5060805@egenix.com>
In-reply-to	<1465430695.0.0.555300487063.issue27266@psf.upfronthosting.co.za>

Content
I propose to deprecate os.urandom() altogether due to all the issues we've discussed on all those recent tickets. See #27279 for details. On 09.06.2016 02:04, Nick Coghlan wrote: > I'd also STRONGLY request that we avoid adding any new APIs in relation to this that mean "Use os.urandom" is no longer the preferred option to obtain cryptographically strong random numbers in Python. Any such APIs can't be used in single source Python 2/3 code, they invalidate existing third party documentation like https://cryptography.io/en/latest/random-numbers/ and they invalidate answers on Q&A sites like http://stackoverflow.com/questions/20936993/how-can-i-create-a-random-number-that-is-cryptographically-secure-in-python It's easy enough to write Python2/3 code to use the new APIs for Python3, so I don't really buy that argument. As for answers on SO: it's not a definite source for anything anyway and life moves on, so eventually people will up the new changes and update older answers to the new ones. The deprecation notice will get people aware of the change.

I propose to deprecate os.urandom() altogether due to all the
issues we've discussed on all those recent tickets.

See #27279 for details.

On 09.06.2016 02:04, Nick Coghlan wrote:
> I'd also *STRONGLY* request that we avoid adding any new APIs in relation to this that mean "Use os.urandom" is no longer the preferred option to obtain cryptographically strong random numbers in Python. Any such APIs can't be used in single source Python 2/3 code, they invalidate existing third party documentation like https://cryptography.io/en/latest/random-numbers/ and they invalidate answers on Q&A sites like http://stackoverflow.com/questions/20936993/how-can-i-create-a-random-number-that-is-cryptographically-secure-in-python

It's easy enough to write Python2/3 code to use the new
APIs for Python3, so I don't really buy that argument.

As for answers on SO: it's not a definite source for anything
anyway and life moves on, so eventually people will up the
new changes and update older answers to the new ones. The
deprecation notice will get people aware of the change.

History
Date	User	Action	Args
2016-06-09 07:56:01	lemburg	set	recipients: + lemburg, ncoghlan, vstinner, larry, christian.heimes, martin.panter, dstufft, Theodore Tso
2016-06-09 07:56:01	lemburg	link	issue27266 messages
2016-06-09 07:56:01	lemburg	create