Open miki725 opened 9 years ago
One problem with requests is the fact that it bundles a lot of code making it very vulnerable to security bug in other libraries.
Upstream has been asked several time about giving the possibility to unbundle the library it uses, requests that have been denied every time.
what do you mean it bundles a lot of code? requests is a single library.
even if it bundles a lot of code, it is still more secure than using urllib
because urllib
already has security problem of not verifying SSL certs whereas requests is vulnerable.
The whole discussion about requests is at https://github.com/kennethreitz/requests/pull/1812
@pypingou what would recommend then?
@miki725 to be honest, I don't have a good solution, you are right that requests is more secure as it checks the certificate, so I guess it's a good idea to switch to it, one just have to be aware of requests' limitations.
I'm definitely open to merging a pull request that migrates from urllib->requests.
@pypingou's points are valid, and it is a concern, however distros like Fedora unbundle python-requests. But since quantumrandom isn't properly packaged anywhere, as far as I know, that doesn't really help :\
@lmacken thanks. I might try to do one this weekend. Will send PR when ready.
Running into a similar situation elsewhere, I found http://stackoverflow.com/questions/1087227/validate-ssl-certificates-with-python which gives some options for this question. Apparently pycurl might also be one as well as this library back-porting code from py3 https://pypi.python.org/pypi/backports.ssl_match_hostname/
https://git.fedorahosted.org/cgit/mod_nss.git/plain/test/test_request.py might be interesting as well
Random numbers are pretty important in cryptography! I am currently looking for a good entropy source for a project I am working on and came across your lib. Seems very nice however I noticed that you are using
urllib
'surlopen
to make API requests to get the entropy.Maybe you will be willing to switch to use
requests
sinceurllib
'surlopen
does not validate server SSL certificates which I think is a potential security risk if a security conscious project needs to use this lib for better randomness entropy source. Here is a quote from docs:And here are the
requests
[docs]() where they clearly have the capability to check server certificate validity: