Hash randomization and deterministic bytecode
Hi, On Nix we set PYTHONHASHSEED to 0 when building packages, disabling hash randomization. We do this to improve determinism of the builds because we store the bytecode next to the code. When one runs Python directly or via a script PYTHONHASHSEED is not set thus enabling hash randomization. Am I correct when I say that in this case Python still uses the reproducibly build bytecode and, because its now running with a random seed we wouldn't be vulnerable to http://www.ocert.org/advisories/ocert-2011-003.html ? Or would it also try to each time also recompile bytecode? Kind regards, Freddy
Don't worry, the PYTHONHASHSEED setting does not get recorded in the bytecode header and the generated bytecode (even if it sometimes differs in trivial ways) is usable with all hash seed settings. --Guido On Fri, May 12, 2017 at 6:06 AM, Freddy Rietdijk <freddyrietdijk@fridh.nl> wrote:
Hi,
On Nix we set PYTHONHASHSEED to 0 when building packages, disabling hash randomization. We do this to improve determinism of the builds because we store the bytecode next to the code.
When one runs Python directly or via a script PYTHONHASHSEED is not set thus enabling hash randomization. Am I correct when I say that in this case Python still uses the reproducibly build bytecode and, because its now running with a random seed we wouldn't be vulnerable to http://www.ocert.org/advisories/ocert-2011-003.html ? Or would it also try to each time also recompile bytecode?
Kind regards,
Freddy
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/ guido%40python.org
-- --Guido van Rossum (python.org/~guido)
Thanks for the clarification. I'm glad we can keep hash randomization disabled during our builds. On Fri, May 12, 2017 at 5:22 PM, Guido van Rossum <guido@python.org> wrote:
Don't worry, the PYTHONHASHSEED setting does not get recorded in the bytecode header and the generated bytecode (even if it sometimes differs in trivial ways) is usable with all hash seed settings.
--Guido
On Fri, May 12, 2017 at 6:06 AM, Freddy Rietdijk <freddyrietdijk@fridh.nl> wrote:
Hi,
On Nix we set PYTHONHASHSEED to 0 when building packages, disabling hash randomization. We do this to improve determinism of the builds because we store the bytecode next to the code.
When one runs Python directly or via a script PYTHONHASHSEED is not set thus enabling hash randomization. Am I correct when I say that in this case Python still uses the reproducibly build bytecode and, because its now running with a random seed we wouldn't be vulnerable to http://www.ocert.org/advisories/ocert-2011-003.html ? Or would it also try to each time also recompile bytecode?
Kind regards,
Freddy
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/guido% 40python.org
-- --Guido van Rossum (python.org/~guido)
participants (2)
-
Freddy Rietdijk
-
Guido van Rossum