Roundup Tracker - Issues

Message6176

Author rouilj
Recipients ber, cmeerw, joseph_myers, rouilj, schlatterbeck
Date 2018-08-09.16:29:57
Message-id <20180809162954.6648C5F52F@vm71.localdomain>
In-reply-to <1533822990.41.0.56676864532.issue2550988@psf.upfronthosting.co.za>
Hi Bern:

In message <1533822990.41.0.56676864532.issue2550988@psf.upfronthosting.co.za>,
Bernhard Reiter writes:
>Bernhard Reiter added the comment:
>Looking into this change, I wonder if there are any platforms
>that we support that lack random.SystemRandom.
>os.urandom() documentation talks about Linux, Unix-like systems and
>Windows. While https://en.wikipedia.org/wiki//dev/random 
>explains that we have all major operations systems covered.
>
>As even the salt is a cryptographic purpose, my take on this is that
>we should only use random.SystemRandom, which does not need to be seeded
>and remove all seeding and fallback code. It should make our code even
>simpler.
>
>What do you think?

For a good quality system random implementation, you need hardware
support.  Running entropy gathering daemons such as eged, haveged
etc. can help if there is no random data source located in the
hardware chip (e.g. on vm's I have run many of them out of random data
and suffered hangs as a result).

Running on a compute stick that has no hardware entropy and minimal
source of randomness (see my earlier comment about setting up a GTD
(getting things done) tracker) should be possible if the user's use
case for roundup supports it. Also consider embedded systems that may
want to use roundup for some purpose.

In any case, seeding the prng random generator obtained via
"import random" should be done in all cases by the core code.
This allows tracker developers to use "import random" to:

  * display a random open issue
  * assign task to random person in list
  * show option A 10% of the time, option B 60% of the time and
    option C 30% of the time
  * etc.

without having to figure out why they keep getting the same value from
random every time.

The changes Christof made simplified the code used for security
related randomness significantly. It is now in one module that is used
throughout the code.

Also there is no reason roundup shouldn't work on VMS or OS/390 or
z/OS or iOS. Although I suspect not many shops these days would run
python on these legacy os's. I wonder if roundup would run in Jython,
PyPy, IronPython or MicroPython variants? I suspect it could work with
anydbm support at the very least.

Have a great week.
History
Date User Action Args
2018-08-09 16:29:58rouiljsetrecipients: + rouilj, schlatterbeck, ber, cmeerw, joseph_myers
2018-08-09 16:29:58rouiljlinkissue2550988 messages
2018-08-09 16:29:57rouiljcreate