[issue14444] Virtualenv not portable from Python 2.7.2 to 2.7.3 (os.urandom missing)

Carl Meyer report at bugs.python.org
Thu Mar 29 23:53:27 CEST 2012

Carl Meyer <carl at dirtcircle.com> added the comment:

I'd been thinking the "escape the security fix" argument didn't apply, because the security fix requires opt-in anyway and the -R flag would fail immediately on a non-updated virtualenv.

But there is also the environment variable. It is quite possible that someone could update their system Python, set PYTHONHASHSEED and think they are protected from the hash collision vulnerability, but not be because they are running in a virtualenv. That is a strong argument for letting this break and forcing the update.


Python tracker <report at bugs.python.org>

More information about the Python-bugs-list mailing list