[Python-Dev] Status of the fix for the hash collision vulnerability
Gregory P. Smith
greg at krypto.org
Sun Jan 15 18:02:35 CET 2012
On Sun, Jan 15, 2012 at 8:46 AM, Stefan Behnel <stefan_ml at behnel.de> wrote:
>
> It also seems to me that the wording "has a hash value which never changes
> during its lifetime" makes it pretty clear that the lifetime of the hash
> value is not guaranteed to supersede the lifetime of the object (although
> that's a rather muddy definition - memory lifetime? or pickle-unpickle as
> well?).
>
Lifetime to me means of that specific instance of the object. I would not
expect that to survive pickle-unpickle.
> However, this entry in the glossary only seems to have appeared with Py2.6,
> likely as a result of the abc changes. So it won't help in defending a
> change to the hash function.
>
Ugh, I really hope there is no code out there depending on the hash
function being the same across a pickle and unpickle boundary.
Unfortunately the hash function was last changed in 1996 in
http://hg.python.org/cpython/rev/839f72610ae1 so it is possible someone
somewhere has written code blindly assuming that non-guarantee is true.
-gps
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20120115/fb27a6fc/attachment.html>
More information about the Python-Dev
mailing list