[Python-Dev] Status of the fix for the hash collision vulnerability

Antoine Pitrou solipsis at pitrou.net
Sat Jan 14 02:17:08 CET 2012

On Thu, 12 Jan 2012 18:57:42 -0800
Guido van Rossum <guido at python.org> wrote:
> Hm... I started out as a big fan of the randomized hash, but thinking more
> about it, I actually believe that the chances of some legitimate app having
> >1000 collisions are way smaller than the chances that somebody's code will
> break due to the variable hashing.

Breaking due to variable hashing is deterministic: you notice it as
soon as you upgrade (and then you use PYTHONHASHSEED to disable
variable hashing). That seems better than unpredictable breaking when
some legitimate collision chain happens.



More information about the Python-Dev mailing list