[Python-Dev] Status of the fix for the hash collision vulnerability
solipsis at pitrou.net
Sun Jan 15 18:11:10 CET 2012
On Sun, 15 Jan 2012 17:46:36 +0100
Stefan Behnel <stefan_ml at behnel.de> wrote:
> Guido van Rossum, 15.01.2012 17:10:
> > On Sun, Jan 15, 2012 at 6:30 AM, Stefan Behnel wrote:
> >> Terry Reedy, 14.01.2012 06:43:
> >>> On 1/13/2012 8:58 PM, Gregory P. Smith wrote:
> >>>> It is perfectly okay to break existing users who had anything depending
> >>>> on ordering of internal hash tables. Their code was already broken.
> >>> Given that the doc says "Return the hash value of the object", I do not
> >>> think we should be so hard-nosed. The above clearly implies that there is
> >>> such a thing as *the* Python hash value for an object. And indeed, that
> >> has
> >>> been true across many versions. If we had written "Return a hash value
> >> for
> >>> the object, which can vary from run to run", the case would be different.
> >> Just a side note, but I don't think hash() is the right place to document
> >> this.
> > You mean we shouldn't document that the hash() of a string will vary per
> > run?
> No, I mean that the hash() builtin function is not the right place to
> document the behaviour of a string hash. That should go into the string
> object documentation.
No, but we can document that *any* hash() value can vary between runs
without being specific about which builtin types randomize their
hashes right now.
More information about the Python-Dev