[Python-ideas] PEP 504: Using the system RNG by default

[Nick Coghlan]

On 16 September 2015 at 19:42, Paul Moore <p.f.moore at gmail.com> wrote:
> Nobody in the open source or security good practices communities even
> has an avenue to communicate with the groups involved in this sort of
> thing.

Fortunately, that's no longer the case. Open source based development
models are going mainstream, and while there's still a lot of work to
do, cases like the US Federal government requiring the creation of
open source prototypes as part of a bidding process are incredibly
heartening (https://18f.gsa.gov/2015/08/28/announcing-the-agile-BPA-awards/).

On the security side, folks are realising that the "You can't do that,
it's a security risk" model is a bad one, and hence favoring switching
to a model more like "We can help you to minimise your risk exposure
while still enabling you to do what you want to do".

So while it's going to take time for practices like those described in
https://playbook.cio.gov/ to become a description of "the way the IT
industry typically works", the benefits are so remarkable that it's a
question of "when" rather than "if".

> Of course, nobody in this environment uses Python to build
> internet-facing web applications, either. So I'm not trying to argue
> that this should drive the question of the RNG used in Python. But at
> the same time, I am trying to sell Python as a good tool for
> automating business processes, writing administrative scripts and
> internal applications, etc. So there is a certain link...

Right, helping Red Hat's Python maintenance team to maintain that kind
of balance is one aspect of my day job, hence my interest in
https://www.python.org/dev/peps/pep-0493/ as a nicer migration path
when backporting the change to verify HTTPS certificates by default.

Cheers,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia