[Django] #27635: django.utils.crypto should use secrets on Python 3.6+

18 views
Skip to first unread message

Django

unread,
Dec 24, 2016, 7:09:44 PM12/24/16
to django-...@googlegroups.com
#27635: django.utils.crypto should use secrets on Python 3.6+
---------------------------------------+------------------------
Reporter: Adam Chainz | Owner: nobody
Type: New feature | Status: new
Component: Utilities | Version: 1.10
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
---------------------------------------+------------------------
Aymeric discussing django.utils.crypto on [https://groups.google.com/d/msg
/django-developers/SOKz1e3TTcg/ZEYhVQP5EAAJ mailing list]:

> While we’re there, we should use
https://docs.python.org/3/library/secrets.html#module-secrets on Python >=
3.6.

--
Ticket URL: <https://code.djangoproject.com/ticket/27635>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Dec 26, 2016, 7:58:29 AM12/26/16
to django-...@googlegroups.com
#27635: django.utils.crypto should use secrets on Python 3.6+
--------------------------------------+------------------------------------

Reporter: Adam Chainz | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: Utilities | Version: 1.10
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Changes (by Tim Graham):

* type: New feature => Cleanup/optimization
* stage: Unreviewed => Accepted


Comment:

Specifically, it looks like that means in place of `random.SystemRandom`.

--
Ticket URL: <https://code.djangoproject.com/ticket/27635#comment:1>

Django

unread,
Dec 28, 2016, 4:12:58 PM12/28/16
to django-...@googlegroups.com
#27635: django.utils.crypto should use secrets on Python 3.6+
--------------------------------------+------------------------------------

Reporter: Adam Chainz | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: Utilities | Version: master

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Changes (by Anton Samarchyan):

* cc: desecho@… (added)
* has_patch: 0 => 1
* version: 1.10 => master


Comment:

Added [https://github.com/django/django/pull/7756 PR]

--
Ticket URL: <https://code.djangoproject.com/ticket/27635#comment:2>

Django

unread,
Dec 29, 2016, 7:08:43 AM12/29/16
to django-...@googlegroups.com
#27635: django.utils.crypto should use secrets on Python 3.6+
-------------------------------------+-------------------------------------

Reporter: Adam Chainz | Owner: nobody
Type: | Status: new
Cleanup/optimization |

Component: Utilities | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage:
| Someday/Maybe

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Tim Graham):

* has_patch: 1 => 0
* stage: Accepted => Someday/Maybe


Comment:

Python's `secrets.py` does `from random import SystemRandom` so this
doesn't change any behavior or add security for now. Adam said,
"Presumably the intention is that secrets might one day use a different
PRNG's on some OS's." Let's make the change if the benefits become more
than theoretical or when only Python 3.6+ is supported.

Another possibility Aymeric mentioned, "In the long run I think we should
deprecate get_random_string in favor of similar functions provided by the
secrets module. I didn't check whether there was a sensible transition
plan to make use of secrets on Python 3.6 while still supporting older
versions."

--
Ticket URL: <https://code.djangoproject.com/ticket/27635#comment:3>

Django

unread,
Jan 3, 2017, 2:07:13 PM1/3/17
to django-...@googlegroups.com
#27635: django.utils.crypto should use secrets on Python 3.6+
-------------------------------------+-------------------------------------

Reporter: Adam Chainz | Owner: nobody
Type: | Status: new
Cleanup/optimization |
Component: Utilities | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage:
| Someday/Maybe
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Emett Speer):

Replying to [comment:3 Tim Graham]:


> Python's `secrets.py` does `from random import SystemRandom` so this
doesn't change any behavior or add security for now. Adam said,
"Presumably the intention is that secrets might one day use a different
PRNG's on some OS's." Let's make the change if the benefits become more
than theoretical or when only Python 3.6+ is supported.
>
> Another possibility Aymeric mentioned, "In the long run I think we
should deprecate get_random_string in favor of similar functions provided
by the secrets module. I didn't check whether there was a sensible
transition plan to make use of secrets on Python 3.6 while still
supporting older versions."

I'm with you on this. The vast majority of people are not going to use
this for a long time and it will add an extra bit of overhead just to
support an update in a single version of Python none of the big distros
ship. Once more of the Django community has migrated to Python3.6+ it
would be worth looking into.

--
Ticket URL: <https://code.djangoproject.com/ticket/27635#comment:4>

Django

unread,
May 12, 2019, 11:54:58 AM5/12/19
to django-...@googlegroups.com
#27635: django.utils.crypto should use secrets on Python 3.6+
-------------------------------------+-------------------------------------
Reporter: Adam (Chainz) | Owner: nobody
Johnson |

Type: | Status: new
Cleanup/optimization |
Component: Utilities | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage:
| Someday/Maybe
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Claude Paroz):

* has_patch: 0 => 1


Comment:

New [https://github.com/django/django/pull/11357 PR] now we are on 3.6+.

--
Ticket URL: <https://code.djangoproject.com/ticket/27635#comment:5>

Django

unread,
May 15, 2019, 6:08:10 PM5/15/19
to django-...@googlegroups.com
#27635: django.utils.crypto should use secrets on Python 3.6+
-------------------------------------+-------------------------------------
Reporter: Adam (Chainz) | Owner: Nick Pope
Johnson |
Type: | Status: assigned

Cleanup/optimization |
Component: Utilities | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Nick Pope):

* owner: nobody => Nick Pope
* status: new => assigned
* stage: Someday/Maybe => Accepted


Comment:

Alternate [https://github.com/django/django/pull/11368 PR] addressing the
non-working fallback and optionally stripping it out based on
[https://github.com/django/django/pull/11357#issuecomment-492839409 my
comment].

--
Ticket URL: <https://code.djangoproject.com/ticket/27635#comment:6>

Django

unread,
May 20, 2019, 5:43:24 AM5/20/19
to django-...@googlegroups.com
#27635: django.utils.crypto should use secrets on Python 3.6+
-------------------------------------+-------------------------------------
Reporter: Adam (Chainz) | Owner: Nick Pope
Johnson |
Type: | Status: assigned
Cleanup/optimization |
Component: Utilities | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Mariusz Felisiak <felisiak.mariusz@…>):

In [changeset:"068005a349f80b3c6c724cc7a2d0b0c44413f463" 068005a3]:
{{{
#!CommitTicketReference repository=""
revision="068005a349f80b3c6c724cc7a2d0b0c44413f463"
Refs #27635 -- Removed fallback when SystemRandom() isn't available that
doesn't work.

Fallback was untested and likely never triggered.
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/27635#comment:7>

Django

unread,
May 20, 2019, 5:43:24 AM5/20/19
to django-...@googlegroups.com
#27635: django.utils.crypto should use secrets on Python 3.6+
-------------------------------------+-------------------------------------
Reporter: Adam (Chainz) | Owner: Nick Pope
Johnson |
Type: | Status: closed

Cleanup/optimization |
Component: Utilities | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Mariusz Felisiak <felisiak.mariusz@…>):

* status: assigned => closed
* resolution: => fixed


Comment:

In [changeset:"1d0bab0bfd77edcf1228d45bf654457a8ff1890d" 1d0bab0]:
{{{
#!CommitTicketReference repository=""
revision="1d0bab0bfd77edcf1228d45bf654457a8ff1890d"
Fixed #27635 -- Used secrets module in django.utils.crypto.
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/27635#comment:8>

Reply all
Reply to author
Forward
0 new messages