[Python-Dev] BDFL ruling request: should we block forever waiting for high-quality random bits? (original) (raw)
David Mertz mertz at gnosis.cx
Thu Jun 16 18:33:42 EDT 2016
- Previous message (by thread): [Python-Dev] BDFL ruling request: should we block forever waiting for high-quality random bits?
- Next message (by thread): [Python-Dev] BDFL ruling request: should we block forever waiting for high-quality random bits?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Yes 'secrets' is one-liners. However, it might grow a few more lines around the blocking in getrandom() on Linux. But still, not more than a few.
But the reason it should be on PyPI is so that programs can have a uniform API across various Python versions. There's no real reason that someone stick on Python 2.7 or 3.3 shouldn't be able to include the future-style:
import secrets Answer = secrets.token_bytes(42) On Jun 16, 2016 4:53 PM, "Nick Coghlan" <ncoghlan at gmail.com> wrote:
On 16 June 2016 at 13:09, Barry Warsaw <barry at python.org> wrote: > On Jun 16, 2016, at 01:01 PM, David Mertz wrote: > >>It seems to me that backporting 'secrets' and putting it on Warehouse would >>be a lot more productive than complaining about 3.5.2 reverting to (almost) >>the behavior of 2.3-3.4. > > Very wise suggestion indeed. We have all kinds of stdlib modules backported > and released as third party packages. Why not secrets too? If such were on > PyPI, I'd happily package it up for the Debian ecosystem. Problem solved > .
The secrets module is just a collection of one liners pulling together other stdlib components that have been around for years - the main problem it aims to address is one of discoverability (rather than one of code complexity), while also eliminating the "simulation is in the standard library, secrecy requires a third party module" discrepancy in the long term. Once you're aware the problem exists, the easiest way to use it in a version independent manner is to just copy the relevant snippet into your own project's utility library - adding an entire new dependency to your project just for those utility functions would be overkill. If you do add a dependency, you'd typically be better off with something more comprehensive and tailored to the particular problem domain you're dealing with, like passlib or cryptography or itsdangerous. Cheers, Nick. P.S. Having the secrets module available on PyPI wouldn't hurt, I just don't think it would help much. -- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
Python-Dev mailing list Python-Dev at python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/mertz%40gnosis.cx -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20160616/4a0f4da8/attachment-0001.html>
- Previous message (by thread): [Python-Dev] BDFL ruling request: should we block forever waiting for high-quality random bits?
- Next message (by thread): [Python-Dev] BDFL ruling request: should we block forever waiting for high-quality random bits?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]