[Python-Dev] Counting collisions for the win
Barry Warsaw
barry at python.org
Fri Jan 20 14:17:05 CET 2012
On Jan 20, 2012, at 03:18 PM, Nick Coghlan wrote:
>On Fri, Jan 20, 2012 at 2:54 PM, Carl Meyer <carl at oddbird.net> wrote:
>> I don't have the expertise to speak otherwise to the alternatives for
>> fixing the collisions vulnerability, but I don't believe it's accurate
>> to presume that Django would not want to fix a dict-ordering dependency,
>> and use that as a justification for one approach over another.
>
>It's more a matter of wanting deployment of a security fix to be as
>painless as possible - a security fix that system administrators can't
>deploy because it breaks critical applications may as well not exist.
True, but collision counting is worse IMO. It's just as likely (maybe) that
an application would start getting new exceptions on dictionary insertion, as
they would failures due to dictionary order changes. Unfortunately, in the
former case it's because Python just added a new public API in a security
release (the new exception *is* public API). In the latter case, no new API
was added, but something exposed an already existing bug in the application.
That's still a bug in the application even if counting was added. It's also a
bug that any number of changes in the environment, or OS vendor deployment,
could have triggered.
-1 for collision counting.
-Barry
More information about the Python-Dev
mailing list