Re: PEP 504: Using the system RNG by default

On Tue, Sep 15, 2015 at 10:50 AM, Donald Stufft <donald-/z0sg0XqlqBhl2p70BpVqQ@public.gmane.org>
wrote:

> On September 15, 2015 at 1:34:56 PM, Guido van Rossum
(guido-+ZN9ApsXKcEdnm+yROfE0A@public.gmane.org)
> wrote:
> > > I am fine with adding more secure ways of generating random numbers.
> > But we already have random.SystemRandom(), so there doesn’t
> > seem to be a hurry?
>
> The problem isn't so much that there isn't a way of securely generating
> random
> numbers, but that the module, as it is right now, guides you towards using
> an
> insecure source of random numbers rather than a secure one. This means that
> unless you're familar with the random module or reading the online
> documentation you don't really have any idea that ``random.random()`` isn't
> secure. This is an attractive nuisance for anyone who *doesn't* need
> deterministic output from their random numbers and leads to situations
> where
> people are incorrectly using MT when they should be using SystemRandom
> because
> they don't know any better.
>

That feels condescending, as does the assumption that (almost) every naive
use of randomness is somehow a security vulnerability. The concept of
secure vs. insecure sources of randomness isn't *that* hard to grasp.

-- 
--Guido van Rossum (python.org/~guido)
_______________________________________________
Python-ideas mailing list
Python-ideas-+ZN9ApsXKcEdnm+yROfE0A@public.gmane.org
https://mail.python.org/mailman/listinfo/python-ideas
Code of Conduct: http://python.org/psf/codeofconduct/

From:		Guido van Rossum <guido-+ZN9ApsXKcEdnm+yROfE0A-AT-public.gmane.org>
To:		Donald Stufft <donald-/z0sg0XqlqBhl2p70BpVqQ-AT-public.gmane.org>
Subject:		Re: PEP 504: Using the system RNG by default
Date:		Tue, 15 Sep 2015 11:21:20 -0700
Message-ID:		<CAP7+vJK3qVGozGbzVRBh05DqLdwgFJV1mFGts48VyqDso+WuVQ@mail.gmail.com>
Cc:		"python-ideas-+ZN9ApsXKcEdnm+yROfE0A-AT-public.gmane.org" <python-ideas-+ZN9ApsXKcEdnm+yROfE0A-AT-public.gmane.org>