New submission from Christian Heimes: In #26839 os.urandom() was made non-blocking and non-exception-raising on Linux. As a result os.urandom() is no longer a CSPRNG under some conditions as it can and will return predictable random values without any sort of warning or error flag. These conditions are (including but not limited to):
* early boot state * virtualization without host-passthrough, e.g. virtio-rng * embedded devices without hardware RNG or RTC, e.g. raspberry pi Please ensure that the documentation properly warns users about these edge cases. We might also want to add that os.urandom() can block on other platforms, e.g. FreeBSD and OpenBSD. ---------- components: Library (Lib) keywords: 3.5regression messages: 268205 nosy: christian.heimes, dstufft, haypo, larry, ned.deily priority: release blocker severity: normal stage: needs patch status: open title: Warn users that os.urandom() can return insecure values type: security versions: Python 3.5, Python 3.6 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue27292> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
