[Python-Dev] Status of the fix for the hash collision vulnerability
Barry Warsaw
barry at python.org
Sat Jan 14 04:19:38 CET 2012
On Jan 13, 2012, at 05:38 PM, Guido van Rossum wrote:
>On Fri, Jan 13, 2012 at 5:17 PM, Antoine Pitrou <solipsis at pitrou.net> wrote:
>
>> Breaking due to variable hashing is deterministic: you notice it as
>> soon as you upgrade (and then you use PYTHONHASHSEED to disable
>> variable hashing). That seems better than unpredictable breaking when
>> some legitimate collision chain happens.
>
>
>Fair enough. But I'm now uncomfortable with turning this on for bugfix
>releases. I'm fine with making this the default in 3.3, just not in 3.2,
>3.1 or 2.x -- it will break too much code and organizations will have to
>roll back the release or do extensive testing before installing a bugfix
>release -- exactly what we *don't* want for those.
+1
-Barry
More information about the Python-Dev
mailing list