[Python-Dev] Counting collisions for the win
Case Van Horsen
casevh at gmail.com
Fri Jan 20 20:06:46 CET 2012
On Fri, Jan 20, 2012 at 8:17 AM, Victor Stinner
<victor.stinner at haypocalc.com> wrote:
>> So I still think we should ditch the paranoia about dictionary order changing,
>> and fix this without counting.
>
> The randomized hash has other issues:
>
> - its security is based on its secret, whereas it looks to be easy to
> compute it (see more details in the issue)
> - my patch only changes hash(str), whereas other developers asked me
> to patch also bytes, int and other types
Changing hash(int) on a bugfix release will cause issues with
extensions (gmpy, sage, probably others) that calculate the hash of
numerical objects.
>
> hash(bytes) can be changed. But changing hash(int) may leak easily the
> secret. We may use a different secret for each type, but if it is easy
> to compute int hash secret, dictionaries using int are still
> vulnerable.
>
> --
>
> There is no perfect solutions, drawbacks of each solution should be compared.
>
> Victor
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> http://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: http://mail.python.org/mailman/options/python-dev/casevh%40gmail.com
More information about the Python-Dev
mailing list