Yes, because Python's "hmac" library doesn't provide a secure "verify" method.

Is == not good enough for you?

Sigh.

http://codahale.com/a-lesson-in-timing-attacks/

Preemptively:

* Yes, a realistic attack.

* Yes, very difficult over the Internet.

* Still difficult but not implausible if the attacker can colocate near your app; ie, if you deploy anywhere on EC2.

* Measurement bounds are high nanoseconds LAN, tens of usecs WAN.

* HMAC verification, unlike password hash comparisons, is a place where timing actually does matter.

Not to suggest that I occupy the high road when it comes to snarky comments, but consider whether your snarky comment in this case suggests an unearned (and thus dangerous) level of confidence about crypto app security. This problem (HMAC timing) is so well known that it's generated many hundreds of comments over the years on HN.

That's still a lot of code just to import a single 6 line function...

The fact that he knew about that function and you (standing in as "representative Python developer") did not seems to justify the library pretty nicely from what I can tell.

But, obviously, this code does more than Python's hmac library does, beyond just knowing how to properly verify the MAC itself.

I wasn't criticising the security of this library, I was criticising it's reason to exist in the form that it does.

Nice save.