[Python-Dev] Hash collision security issue (now public)

Mark Shannon mark at hotpy.org
Fri Jan 6 21:25:46 CET 2012


It seems to me that half the folk discussing this issue want a 
super-strong, resist-all-hypothetical-attacks hash with little regard to 
performance. The other half want no change or a change that will have no 
  observable effect. (I may be exaggerating a little.)

Can I propose the following, half-way proposal:

1. Since there is a published vulnerability,
that we fix it with the most efficient solution proposed so far:

2. Decide which versions of Python this should be applied to.
3.3 seems a given, the other are open to debate.

3. If and only if (and I think this unlikely) the solution chosen is 
shown to be vulnerable to a more sophisticated attack then a new issue 
should be opened and dealt with separately.


More information about the Python-Dev mailing list