[issue13703] Hash collision security issue
Antoine Pitrou
report at bugs.python.org
Wed Jan 11 19:18:16 CET 2012
Antoine Pitrou <pitrou at free.fr> added the comment:
> [MAL]
> > Yes, which is why the patch should be disabled by default (using
> > an env var) in dot-releases.
>
> Are you proposing having it enabled by default in Python 3.3?
I would personally prefer 3.3 and even 3.2 to have proper randomization
(either Paul's or Victor's or another proposal). Victor's proposal makes
fixing other hash functions very simple (there could even be helper
macros). The only serious concern IMO is startup time under Windows;
someone with Windows-fu should investigate that.
2.x maintainers might want to be more conservative, although disabling a
fix (the collision counter) by default doesn't sound very wise or
helpful to me.
(for completeness, the collision counter must also be added to sets,
btw)
It would be nice to hear from distro maintainers here.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue13703>
_______________________________________
More information about the Python-bugs-list
mailing list