Re: [Python-Dev] PEP 506 secrets module

On 16.10.15 09:57, Victor Stinner wrote:
> I suggest to raise an error if token_bytes(n) if calls with n < 16> bytes (128 bits). Well, I'm not sure that 16 is the good compromise> between performance and security, but we must enforce users to use a> minimum number of bits of entropy. token_bytes(1) looks valid, even> token_bytes(0), according to the Python code in the PEP.

This will provoke to write code token_bytes(16)[:5].

> I don't like the idea how having two functions doing *almost* the same> thing: randint() and randrange(). There is a risk that these functions> will be misused. I consider that I know some stuff on PRNG but I'm> still confused by randint() and randrange(). Usually, I open python> and type:>>>>> x=[s.randrange(1,6) for n in range(100)]>>>> min(x), max(x)> (1, 5)>> Hum, ok, it's not a good dice :-) I probably wanted to use randint().> So I suggest to only add randint() to secrets.

I suggest to add only randrange(). randint() is historical artefact, we 
shouldn't repeat this mistake in new module. The secrets module is not 
good way to generate dice rolls. In most other cases you need to 
generate integers in half-open interval [0; N).

And randbelow() is absolute redundant. Random._randbelow() is 
implementation detail and I inclined to get rid of it (implementing 
randrange() in C instead).


_______________________________________________
Python-Dev mailing list
Pyth...@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: https://mail.python.org/mailman/options/python-dev/python-dev-ml%40activestate.com