[Python-Dev] Status of the fix for the hash collision vulnerability
"Martin v. Löwis"
martin at v.loewis.de
Sat Jan 14 16:17:59 CET 2012
Am 14.01.2012 01:37, schrieb Benjamin Peterson:
> 2012/1/13 Guido van Rossum <guido at python.org>:
>> Really? Even though you came up with specifically to prove me wrong?
> Coming up with a counterexample now invalidates it?
There are two concerns here:
- is it possible to come up with an example of constructed values that
show many collisions in a way that poses a threat? To this, the answer
is apparently "yes", and the proposed reaction is to hard-limit the
number of collisions accepted by the implementation.
- then, *assuming* such a limitation is in place: is it possible to come
up with a realistic application that would break under this
limitation. Mark's example is no such realistic application, instead,
it is yet another example demonstrating collisions using constructed
values (although the specific example would continue to work fine
even under the limitation).
A valid counterexample would have to come from a real application, or
at least from a scenario that is plausible for a real application.
More information about the Python-Dev