Le 14/05/2018 à 19:12, INADA Naoki a écrit :
I'm sorry, the word *will* may be stronger than I thought.
I meant if memory image dumped on disk is used casually, it may make easier to make security hole.
For example, if `hg` memory image is reused, and it can be leaked in some way, hg serve will be hashdos weak.
This discussion subthread is not about having a memory image dumped on disk, but a daemon utility that preloads a new Python process when you first start up your CLI application. Each time a new process is preloaded, it will by construction use a new hash seed.
(by contrast, the Node.js CVE issue you linked to is about having the same hash seed accross a Node.js version; that's disastrous)
Also you add a reuse limit to ensure that the hash seed is rotated (e.g. every 100 invocations).