[Python-Dev] Status of the fix for the hash collision vulnerability

Steven D'Aprano steve at pearwood.info
Sun Jan 15 05:49:50 CET 2012

Guido van Rossum wrote:
> On Fri, Jan 13, 2012 at 5:58 PM, Gregory P. Smith <greg at krypto.org> wrote:
>> It is perfectly okay to break existing users who had anything depending on
>> ordering of internal hash tables. Their code was already broken. We *will*provide a flag and/or environment variable that can be set to turn the
>> feature off at their own peril which they can use in their test harnesses
>> that are stupid enough to use doctests with order dependencies.
> No, that is not how we usually take compatibility between bugfix releases.
> "Your code is already broken" is not an argument to break forcefully what
> worked (even if by happenstance) before. The difference between CPython and
> Jython (or between different CPython feature releases) also isn't relevant
> -- historically we have often bent over backwards to avoid changing
> behavior that was technically undefined, if we believed it would affect a
> significant fraction of users.
> I don't think anyone doubts that this will break lots of code (at least,
> the arguments I've heard have been "their code is broken", not "nobody does
> that").

I don't know about "lots" of code, but it will break at least one library (or 
so I'm told):



More information about the Python-Dev mailing list