Opened 8 years ago
Closed 6 years ago
#27635 closed Cleanup/optimization (fixed)
django.utils.crypto should use secrets on Python 3.6+
Reported by: | Adam Johnson | Owned by: | Nick Pope |
---|---|---|---|
Component: | Utilities | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | aymeric.augustin@…, me@…, desecho@… | Triage Stage: | Accepted |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Aymeric discussing django.utils.crypto on mailing list:
While we’re there, we should use https://docs.python.org/3/library/secrets.html#module-secrets on Python >= 3.6.
Change History (8)
comment:1 by , 8 years ago
Triage Stage: | Unreviewed → Accepted |
---|---|
Type: | New feature → Cleanup/optimization |
follow-up: 4 comment:3 by , 8 years ago
Has patch: | unset |
---|---|
Triage Stage: | Accepted → Someday/Maybe |
Python's secrets.py
does from random import SystemRandom
so this doesn't change any behavior or add security for now. Adam said, "Presumably the intention is that secrets might one day use a different PRNG's on some OS's." Let's make the change if the benefits become more than theoretical or when only Python 3.6+ is supported.
Another possibility Aymeric mentioned, "In the long run I think we should deprecate get_random_string in favor of similar functions provided by the secrets module. I didn't check whether there was a sensible transition plan to make use of secrets on Python 3.6 while still supporting older versions."
comment:4 by , 8 years ago
Replying to Tim Graham:
Python's
secrets.py
doesfrom random import SystemRandom
so this doesn't change any behavior or add security for now. Adam said, "Presumably the intention is that secrets might one day use a different PRNG's on some OS's." Let's make the change if the benefits become more than theoretical or when only Python 3.6+ is supported.
Another possibility Aymeric mentioned, "In the long run I think we should deprecate get_random_string in favor of similar functions provided by the secrets module. I didn't check whether there was a sensible transition plan to make use of secrets on Python 3.6 while still supporting older versions."
I'm with you on this. The vast majority of people are not going to use this for a long time and it will add an extra bit of overhead just to support an update in a single version of Python none of the big distros ship. Once more of the Django community has migrated to Python3.6+ it would be worth looking into.
comment:6 by , 6 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
Triage Stage: | Someday/Maybe → Accepted |
Alternate PR addressing the non-working fallback and optionally stripping it out based on my comment.
Specifically, it looks like that means in place of
random.SystemRandom
.