[Python-Dev] Hash collision security issue (now public)
Antoine Pitrou
solipsis at pitrou.net
Thu Jan 5 22:59:59 CET 2012
On Thu, 05 Jan 2012 22:40:58 +0100
Christian Heimes <lists at cheimes.de> wrote:
> Am 05.01.2012 21:45, schrieb Barry Warsaw:
> > This sounds like a reasonable compromise for all stable Python releases. It
> > can be turned on by default for Python 3.3. If you also make the default
> > setting easy to change (i.e. parameterized in one place), then distros can
> > make their own decision about the default, although I'd argue for the above
> > default approach for Debian/Ubuntu.
>
> Hey Barry, stop stealing my ideas! :) I've argued for these default
> settings for days.
>
> ver delivery randomized hashing
> ==========================================
> 2.3 patch disabled by default
> 2.4 patch disabled
> 2.5 patch disabled
> 2.6 release disabled
> 2.7 release disabled
> 3.0 ignore? disabled
> 3.1 release disabled
> 3.2 release disabled
> 3.3 n/a yet enabled by default
I don't think we (python-dev) are really concerned with 2.3, 2.4,
2.5 and 3.0. They're all unsupported, and people do what they want
with their local source trees.
Regards
Antoine.
More information about the Python-Dev
mailing list