diff options
Diffstat (limited to 'Doc')
| -rw-r--r-- | Doc/library/os.rst | 29 | ||||
| -rw-r--r-- | Doc/whatsnew/3.6.rst | 12 |
2 files changed, 33 insertions, 8 deletions
diff --git a/Doc/library/os.rst b/Doc/library/os.rst index 69c559c..e2b6e64 100644 --- a/Doc/library/os.rst +++ b/Doc/library/os.rst @@ -3968,14 +3968,27 @@ Random numbers returned data should be unpredictable enough for cryptographic applications, though its exact quality depends on the OS implementation. - On Linux, the ``getrandom()`` syscall is used if available and the urandom - entropy pool is initialized (``getrandom()`` does not block). - On a Unix-like system this will query ``/dev/urandom``. On Windows, it - will use ``CryptGenRandom()``. If a randomness source is not found, - :exc:`NotImplementedError` will be raised. - - For an easy-to-use interface to the random number generator - provided by your platform, please see :class:`random.SystemRandom`. + On Linux, if the ``getrandom()`` syscall is available, it is used in + blocking mode: block until the system urandom entropy pool is initialized + (128 bits of entropy are collected by the kernel). See the :pep:`524` for + the rationale. On Linux, the :func:`getrandom` function can be used to get + random bytes in non-blocking mode (using the :data:`GRND_NONBLOCK` flag) or + to poll until the system urandom entropy pool is initialized. + + On a Unix-like system, random bytes are read from the ``/dev/urandom`` + device. If the ``/dev/urandom`` device is not available or not readable, the + :exc:`NotImplementedError` exception is raised. + + On Windows, it will use ``CryptGenRandom()``. + + .. seealso:: + The :mod:`secrets` module provides higher level functions. For an + easy-to-use interface to the random number generator provided by your + platform, please see :class:`random.SystemRandom`. + + .. versionchanged:: 3.6.0 + On Linux, ``getrandom()`` is now used in blocking mode to increase the + security. .. versionchanged:: 3.5.2 On Linux, if the ``getrandom()`` syscall blocks (the urandom entropy pool diff --git a/Doc/whatsnew/3.6.rst b/Doc/whatsnew/3.6.rst index 683ea82..f40a3c0 100644 --- a/Doc/whatsnew/3.6.rst +++ b/Doc/whatsnew/3.6.rst @@ -70,6 +70,12 @@ Standard library improvements: * PEP 519: :ref:`Adding a file system path protocol <pep-519>` +Security improvements: + +* On Linux, :func:`os.urandom` now blocks until the system urandom entropy pool + is initialized to increase the security. See the :pep:`524` for the + rationale. + Windows improvements: * The ``py.exe`` launcher, when used interactively, no longer prefers @@ -345,6 +351,9 @@ New Modules Improved Modules ================ +On Linux, :func:`os.urandom` now blocks until the system urandom entropy pool +is initialized to increase the security. See the :pep:`524` for the rationale. + asyncio ------- @@ -913,6 +922,9 @@ Changes in 'python' Command Behavior Changes in the Python API ------------------------- +* On Linux, :func:`os.urandom` now blocks until the system urandom entropy pool + is initialized to increase the security. + * When :meth:`importlib.abc.Loader.exec_module` is defined, :meth:`importlib.abc.Loader.create_module` must also be defined. |