[Python-ideas] PEP 504: Using the system RNG by default
Nick Coghlan
ncoghlan at gmail.com
Wed Sep 16 18:21:09 CEST 2015
On 17 September 2015 at 02:09, Tim Peters <tim.peters at gmail.com> wrote:
> [Guido]
>>> ...
>>> Tim's proposal is simple: create a new module, e.g. safefandom, with the
>>> same API as random (less seed/state). That's it. Then it's a simple import
>>> change away to do the right thing, and we have years to seed StackOverflow
>>> with better information before that code even hits the road. (But a backport
>>> to Python 2.7 could be on PyPI tomorrow!)
>
> [Nick Coghlan <ncoghlan at gmail.com>]
>> If folks are reaching for a third party library anyway, we'd be better
>> off point them at one of the higher levels ones like passlib or
>> cryptography.
>
> Note that, in context, "saferandom" _would_ be a standard module in a
> future Python 3 feature release. But it _could_ be used literally
> tomorrow by anyone who wanted a head start, whether in a current
> Python 2 or Python 3.
>
> And if pieces of `passlib` and/or `cryptography` are thought to be
> essential for best practice, cool, then `saferandom` could also become
> a natural home for workalikes. Would you really want to _ever_ put
> such functions in the catch-all "random" module? The docs would
> become an incomprehensible mess.
My main objection here was the name, so Steven's suggestion of calling
such a module "secrets" with a suitably crafted higher level API
rather than replicating the entire random module API made a big
difference. We may even be able to finally give hmac.compare_digest a
more obvious home as something like "secrets.equal".
I'll leave PEP 504 as Draft for now, but I currently expect I'll end
up withdrawing it in favour of Steven's idea.
Cheers,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
More information about the Python-ideas
mailing list