[Security-sig] RFC: PEP: Make os.urandom() blocking on Linux
Donald Stufft
donald at stufft.io
Thu Jun 23 14:13:05 EDT 2016
> On Jun 23, 2016, at 2:10 PM, Nick Coghlan <ncoghlan at gmail.com> wrote:
>
> That second one has the added bonus of doing the right thing even on
> older Linux kernels that don't provide the new getrandom() syscall,
> creating the following virtuous feedback loop:
The second one also is not a good idea to use in the general case since it will also block randomly throughout the application. It’s OK to use if you know you’re only going to access it once on boot, but you wouldn’t want it to be a common idiom that software itself does. If I recall, there was major downtime on healthcare.gov because they used /dev/random in production.
—
Donald Stufft
More information about the Security-SIG
mailing list