[Python-Dev] plugging the hash attack
Brett Cannon
brett at python.org
Mon Jan 30 18:03:20 CET 2012
On Fri, Jan 27, 2012 at 21:33, Benjamin Peterson <benjamin at python.org>wrote:
> 2012/1/27 Steven D'Aprano <steve at pearwood.info>:
> > Benjamin Peterson wrote:
> >>
> >> Hello everyone,
> >> In effort to get a fix out before Perl 6 goes mainstream, Barry and I
> >> have decided to pronounce on what we want for our stable releases.
> >> What we have decided is that
> >> 1. Simple hash randomization is the way to go. We think this has the
> >> best chance of actually fixing the problem while being fairly
> >> straightforward such that we're comfortable putting it in a stable
> >> release.
> >> 2. It will be off by default in stable releases and enabled by an
> >> envar at runtime. This will prevent code breakage from dictionary
> >> order changing as well as people depending on the hash stability.
> >
>
Great!
> >
> > Do you have the expectation that it will become on by default in some
> future
> > release?
>
> Yes, 3.3. The solution in 3.3 could even be one of the more
> sophisticated proposals we have today.
I think that would be good. And I would even argue we remove support for
turning it off to force people to no longer lean on dict ordering as a
crutch (in 3.3 obviously).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20120130/42c70b81/attachment.html>
More information about the Python-Dev
mailing list