[Python-Dev] Status of the fix for the hash collision vulnerability
Gregory P. Smith
greg at krypto.org
Sun Jan 15 18:02:35 CET 2012
On Sun, Jan 15, 2012 at 8:46 AM, Stefan Behnel <stefan_ml at behnel.de> wrote:
> It also seems to me that the wording "has a hash value which never changes
> during its lifetime" makes it pretty clear that the lifetime of the hash
> value is not guaranteed to supersede the lifetime of the object (although
> that's a rather muddy definition - memory lifetime? or pickle-unpickle as
Lifetime to me means of that specific instance of the object. I would not
expect that to survive pickle-unpickle.
> However, this entry in the glossary only seems to have appeared with Py2.6,
> likely as a result of the abc changes. So it won't help in defending a
> change to the hash function.
Ugh, I really hope there is no code out there depending on the hash
function being the same across a pickle and unpickle boundary.
Unfortunately the hash function was last changed in 1996 in
http://hg.python.org/cpython/rev/839f72610ae1 so it is possible someone
somewhere has written code blindly assuming that non-guarantee is true.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Python-Dev