[Python-ideas] Globally configurable random number generation
Stefan Krah
skrah at bytereef.org
Mon Sep 14 15:43:58 CEST 2015
Nick Coghlan <ncoghlan at ...> writes:
> = Core abstraction =
>
> The core concept of this proposal involves classifying random number
> generators in Python as follows:
>
> * seedable
> * seedless
> * system
>
> These terms are chosen to make sense to folks that have *no idea*
> about the way different kinds of random number generator work and how
> that affects their security properties, but do know whether or not
> they need to be able to pass in a particular fixed seed in order to
> regenerate the same series of outputs.
>
> The guidance to Python users is then:
>
> * we use the seedless RNG by default as it provides the best balance
> of speed and security
> * if you need to be able to exactly reproduce output sequences, use
> the seedable RNG
> * if you know you're doing security sensitive work, use the system RNG
> directly to eliminate Python's seedless RNG as a potential source of
> vulnerabilities
Sorry, -1 on this. Theo proposed a simple API like:
arc4random()
arc4random_uniform()
Go has:
https://golang.org/pkg/math/rand/
https://golang.org/pkg/crypto/rand/
These are sane, unambiguously named APIs. I wish Python had more
of those. If people must have their CSPRNG, please let's leave
the random module alone and introduce a crypto module like Go.
Stefan Krah
More information about the Python-ideas
mailing list