Christian Heimes added the comment: PSRT VETO!
This ticket is turning into a bike-shedding discussion. In the light of the upcoming release 3.5.2 I'm now putting on my PSRT hat (Python Security Response Team) and proclaim a veto against any and all changes to os.urandom(). The security properties of os.urandom() must not be modified or reduced compared to 3.5.1. Please restore the behavior of os.urandom(). Reasoning: The security of our general audience is much more important than this special case. I agree that the problem of Python blocking in an early boot phase should be fixed. But under no circumstances must the fix affect security. For now please work around the issue with PYTHONHASHSEED or forwarding the host's entropy source into your virtualization environment. Any change to os.urandom(), _Py_HashSecret (I'm the author of PEP 456) and Mersenne-Twister initialization of random.random() shall go through a formal PEP process. I'm willing to participate in writing the PEP. A formal PEP also enables us to ask trained security experts for review. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue26839> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
