← Back to team overview

bzr-windows team mailing list archive

Re: Patch Pycrypto for standalone installers?

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin (gzlist) wrote:
> On 17/12/2009, John Arbash Meinel <john@xxxxxxxxxxxxxxxxx> wrote:
>> Basically, paramiko uses PyCrypto's Randpool, which then tries to
>> measure time.time()'s tick size by calling it until it changes 100 times.
> 
> Why patch PyCrypto when the new maintainer seems to want to get rid of
> Randpool altogether? Wouldn't getting a change in paramiko to use
> something else be better? It's not like fiddling with time.time is a
> great method of getting randomness that should be prefered over native
> functions.
> 
> Martin
> 

#1) The new way of doing it in Pycrypto is still 'beta' and so there
aren't even packages you can install using "easy_install pycrypto" (I
would guess you could download the tarball and install from source.)

But do you *really* want to ship the 'beta' version of a crypto library
with the rest of your code?

Isn't having a tiny "time.time() => time.clock()" patch a bit more obvious?

#2) It would still require a patch to paramiko, *and* getting that
released, *and* (#1).

#3) Paramiko already abstracts around RandomPool to make sure it gets
"more secure" random data. In fact, it is called SecureRandomPool (and
implements thread locking, injecting extra randomness from the os, etc.)

I agree that the ultimate way forward is to move away from RandomPool.
That hasn't happened in the year since I submitted the original bug
reports (2008-09-18). I don't see it getting fixed soon (at least a
couple months before pycrypto gets updated and then paramiko gets
updated, and paramiko would have to decide how it wants to preserve
backwards compatibility, etc.)

The alternative is for me to apply my patch and build a -3 installer...
tomorrow. Take your pick :)

John
=:->
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAksq35EACgkQJdeBCYSNAANCEwCeJloO4dHN0qDMr0KPXgO8KuYj
WbUAn21MZaqSxyg218V68i5ZoFyQbpwj
=5UYR
-----END PGP SIGNATURE-----



Follow ups

References