Figure out how to cope with EGD going away

[public]

It's likely that EGD support will slowly start to disappear from things that PyOpenSSL depends on in the future. e.g. The libcrypto that it links to on some platforms. pyca/cryptography is considering removing the bindings because of this pyca/cryptography#1636 but obviously breaking PyOpenSSL would be a bad thing.

How do we go about deprecating these APIs in a way that causes the minimum of problems for people?

[hynek]

FWIW, it seems that LibreSSL has already cut out EGD? I tried to do some work in s_i and pre 0.14 pyOpenSSL doesn't install du to compile errors mentioning EDG.

Can someone give me a short summary on what this is about?

[reaperhulk]

Yep, Libre has cut out EGD. The entropy gathering daemon is an outdated and no longer useful daemon that tried to provide entropy by monitoring various sources independently of the kernel.

[hynek]

OK I’ve had a look and it seems we use EGD in exactly one place: https://github.com/pyca/pyopenssl/blob/master/src/OpenSSL/rand.py#L94-L113

Suggestion:

1. we make OpenSSL.rand.egd() raise a DeprecationWarning
2. we replace the call to RAND_egd_bytes() by a call of seed(os.urandom(bytes))

That way we:

1. don’t compromise the user’s security (arguably we increase it)
2. get rid of the API binding completely
3. start a deprecation cycle so we can get rid of it in a year completely

Opinions?

[Lukasa]

Sounds reasonable to me. =)

[reaperhulk]

I'm fine with that. Plus it gives us a potential date to remove the binding from cryptography.