Description of problem: Python 3.5 doesn't use the getrandom() syscall, even though the Fedora kernel provides it. As a first guess, I'd expect this might be due to the Koji buildroots running on a RHEL kernel rather than a Fedora one. Version-Release number of selected component (if applicable): python3-3.5.1-8.fc24.x86_64 How reproducible: Always Steps to Reproduce: python3 -c 'import sysconfig; print(sysconfig.get_config_vars()["HAVE_GETRANDOM_SYSCALL"])' Actual results: Prints 0 Expected results: Prints 1 Additional info: I confirmed a locally built Python 3.5 prints 1 as expected. This means Fedora's system Python 3 package is currently still reading directly from /dev/urandom, and hence wasn't affected by the potentially blocking call to the getrandom() API introduced in Python 3.5.0 and 3.5.1 (which is being reverted to non-blocking behaviour in 3.5.2). This is likely to prove a more significant problem in Python 3.6, as we're looking to use the getrandom() syscall to improve the security guarantees offered by the os.urandom() API on newer kernels, and it would be unfortunate if Fedora's build process disabled those enhanced guarantees.
Upstream query regarding this behaviour where the getrandom() syscall being missing at build time means it isn't tried at runtime either: https://mail.python.org/pipermail/security-sig/2016-June/000060.html
If we hard-code enable it on Fedora builds, could that be dangerous? I.e. can we say that on Fedora is should *always* be enabled? Or should we focus on run-time querying?
(In reply to Miro Hrončok from comment #2) > If we hard-code enable it on Fedora builds, could that be dangerous? I.e. > can we say that on Fedora is should *always* be enabled? Or should we focus > on run-time querying? After giving it a bit thinking, I guess Fedora can be run in a container on any kernel (including the one that is used on Koji), so run-time check is a must.
Python 3.5 does check at runtime. It only needs SYS_getrandom and GRND_NONBLOCK constants. More specifically, the configure script reports "checking for the Linux getrandom() syscall... no", which would mean the C code for checking HAVE_GETRANDOM_SYSCALL doesn't build & run: https://paste.fedoraproject.org/385405/22064146/
Hm, Miro tells me it does run. So I'd guess the problem is somewhere in the config machinery.
Interestingly, by itself the SYS_getrandom syscall actually works on the Koji builder. Task: http://koji.fedoraproject.org/koji/taskinfo?taskID=14672074 Log: https://kojipkgs.fedoraproject.org//work/tasks/2074/14672074/build.log Source: https://paste.fedoraproject.org/385449/29814146/
Update: The assumption that the buildtime check for the `getrandom` syscall fails in Koji is false. Here's the latest build of Python 3.5: http://koji.fedoraproject.org/koji/buildinfo?buildID=801062 And here's the oldest, first build of Python 3.5 from a year ago: http://koji.fedoraproject.org/koji/buildinfo?buildID=687298 Both have in their logs (for all architectures): "checking for the Linux getrandom() syscall... yes" I'll try to investigate further.
Apologies, the assumption was indeed not false: The build time check fails on builds of Python 3.5.1. However, it succeeds on Python 3.5.0 and 3.5.2 builds, that's why both the builds from my previous message had it succeed. That means that Fedoras 25 and up don't suffer from this issue, as they are already on Python 3.5.2. I'll try to figure out a patch for 3.5.1 so it works in F24 as well.
I have made a patch for Fedora 24 (the only affected Fedora version) and verified using strace that it indeed works and Python uses the new `getrandom` sys call. Bodhi will spam this bug shortly.
In the patch, I backported the build-time check for the getrandom syscall from Python 3.5.2 to Python 3.5.1 which is in Fedora 24. The build-time check that was there previously had several issues, most importantly it did not include the proper headers.
python3-3.5.1-17.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-8153676cf1
python3-3.5.1-17.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-8153676cf1
python3-3.5.1-17.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
This probably caused bug #1383060 to appear. Tomáš, do you have cycles to help there?
I'll look into it.