[Python-Dev] Hash collision security issue (now public)

Barry Warsaw barry at python.org
Thu Jan 5 21:50:34 CET 2012

On Jan 05, 2012, at 08:35 PM, Paul Moore wrote:

>Uh, surely no-one is suggesting backporting to "ancient" versions? I
>couldn't find the statement quickly on the python.org website (so this
>is via google), but isn't it true that 2.6 is in security-only mode
>and 2.5 and earlier will never get the fix? Having a source-only
>release for 2.6 means the fix is "off by default" in the sense that
>you can choose not to build it. Or add a #ifdef to the source if it
>really matters.

Correct, although there's no reason why a patch for versions older than 2.6
couldn't be included on a python.org security page for reference in CVE or
other security notifications.  Distros that care about versions older than
Python 2.6 will basically be back-porting the patch anyway.

>My feeling is that it should go into 2.7, 3.2, and 3.3+, but with no
>bells and whistles to switch it off or the like.

I like David Malcolm's suggestion, but I have no problem applying it to 3.3,
enabled by default with no way to turn it off.  The off-by-default on-switch
policy for stable releases would be justified by maximum backward
compatibility conservativeness.


More information about the Python-Dev mailing list