STINNER Victor added the comment:
Donald Stufft: "As far as I know, all other modern OSs *ALWAYS* block
until their entropy pool is intialized. It's Linux that refuses to get
with the program."
Ah? I didn't know. Anyway, it doesn't change anything to the problem.
I don't think that security matters enough to block Python at startup.
Python has a long history of being a thin wrapper on top of the OS.
Usually, Python doesn't workaround design issues of OSes, but expose
functions as they are.
If you think that Linux is broken, please fix Linux, not Python.
--
If security matters in your application, you should works around the
Linux behaviour (bug?) in your application, but not in Python. For
example, raise a fatal error with an error written in capital letters.
Or block. Python *cannot* make this choice for you. It's part of
Python design to not take such decision for you.
Python is used in various areas, and in many areas, security don't
matter at all.
To me, it's just a major bug that python3 -c 'print("Hello World")
blocks until Linux has enough entropy. In some embedded devices, you
can wait forever, you will *never* get enough entropy to see the hello
world message...
--
Trying to decide if os.urandom() and /dev/urnadom are "secure" or not
is a waste of time. To me it's now clear that it's impossible to
decide :-) It depends on your expectation from security. Don't start
to loose time on discussion this forever ;-)
----------
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue26839>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
