[issue13703] Hash collision security issue
Dave Malcolm
report at bugs.python.org
Mon Feb 6 20:11:43 CET 2012
Dave Malcolm <dmalcolm at redhat.com> added the comment:
On Mon, 2012-02-06 at 10:20 +0000, Marc-Andre Lemburg wrote:
> Marc-Andre Lemburg <mal at egenix.com> added the comment:
>
> STINNER Victor wrote:
> >
> > STINNER Victor <victor.stinner at haypocalc.com> added the comment:
> >
> >> In a security fix release, we shouldn't change the linkage procedures,
> >> so I recommend that the LoadLibrary dance remains.
> >
> > So the overhead in startup time is not an issue?
>
> It is an issue. Not only in terms of startup time, but also
msg152362 indicated that there was negligible impact on startup time
when randomization is disabled. The impact when it *is* enabled is
unclear, but reported there as "isn't crippling".
> because randomization per default makes Python behave in
> non-deterministc ways - which is not what you want from a
> programming language or interpreter (unless you explicitly
> tell it to behave like that).
The release managers have pronounced:
http://mail.python.org/pipermail/python-dev/2012-January/115892.html
Quoting that email:
> 1. Simple hash randomization is the way to go. We think this has the
> best chance of actually fixing the problem while being fairly
> straightforward such that we're comfortable putting it in a stable
> release.
> 2. It will be off by default in stable releases and enabled by an
> envar at runtime. This will prevent code breakage from dictionary
> order changing as well as people depending on the hash stability.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue13703>
_______________________________________
More information about the Python-bugs-list
mailing list