[Python-Dev] Should we use getentropy() for os.urandom()? (original) (raw)
Donald Stufft donald at stufft.io
Sat Sep 5 01:29:47 CEST 2015
- Previous message (by thread): [Python-Dev] Should we use getentropy() for os.urandom()?
- Next message (by thread): [Python-Dev] PEP 498: Literal String Interpolation is ready for pronouncement
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On September 4, 2015 at 7:08:36 PM, Guido van Rossum (guido at python.org) wrote:
I'm no expert, but from the bug report and the man page you quoted it does sound like getentropy() should only be used to seed a PRNG. It also sounds like reading /dev/[u]random should be considered a PRNG. For evidence, the man page on OS X says: "The random device produces uniformly distributed random byte values of potentially high quality." It goes on to describe the difference between the two on Linux (where urandom produces lower quality when it runs out of entropy while random apparently blocks). It does sound like we should not call getentropy() except to get a good seed for our own PRNG.
I don't recall the difference between getentropy and getrandom but /dev/(u)random are basically the exact same except /dev/random tries to gues how "random" it’s numbers are. The manpage for /dev/(u)random is basically wrong. (See http://www.2uo.de/myths-about-urandom/ and http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/).
Someone who remembers what getentropy implements would have to chime in on whether we should use it or not, but getrandom is basically a better form of /dev/urandom.
Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
- Previous message (by thread): [Python-Dev] Should we use getentropy() for os.urandom()?
- Next message (by thread): [Python-Dev] PEP 498: Literal String Interpolation is ready for pronouncement
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]