New submission from Larry Hastings: Linux contains two separate sources for random numbers: /dev/urandom and /dev/random. On a reasonably-current Linux box, the urandom(4) man page states:
As a general rule, /dev/urandom should be used for everything except long-lived GPG/SSL/SSH keys. This seems to suggest that, in the eyes of its implementors, /dev/random returns ever-so-slightly superior random numbers, and that in certain limited circumstances you should prefer those. AFAICT the secrets module doesn't make use of the /dev/random device on Linux. Should it? (Or, in the likely case that we make the getrandom() function directly callable, should it call getrandom(GRND_RANDOM)?) p.s. FWIW, Linux's /dev/urandom isn't considered a true CPRNG in all circles. This paper declines to call it simply either a CPRNG or a PRNG, instead christening it with the unfamiliar term "PRNG with entropy inputs". https://eprint.iacr.org/2012/251.pdf p.p.s. I went ahead and nosied the "cryptography" "interest category" from the nosy list. Neat! ---------- assignee: steven.daprano components: Library (Lib) messages: 268243 nosy: christian.heimes, dstufft, gregory.p.smith, larry, steven.daprano priority: low severity: normal stage: test needed status: open title: Add support for /dev/random to "secrets" type: enhancement versions: Python 3.6 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue27297> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com