[Python-Dev] Status of the fix for the hash collision ulnerability

Heiko Wundram modelnine at modelnine.org
Sun Jan 15 19:40:49 CET 2012

Am 15.01.2012 15:27, schrieb Victor Stinner:
> I don't think that it would be hard to patch this library to use
> another hash function. It can implement its own hash function, use
> MD5, SHA1, or anything else. hash() is not stable accross Python
> versions and 32/64 bit systems.

As I wrote in a reply further down: no, it isn't hard to change this 
behaviour (and I find the current caching system, which uses hash() on 
an URL to choose the cache index, braindead to begin with), but, as with 
all other considerations: the current version of the library, with the 
default options, depends on hash() to be stable for the cache to make 
any sense at all (and especially with "generic" schema such as the 
referenced xml.dtd, caching makes a lot of sense, and not being able to 
cache _breaks_ applications as it did mine). This is juts something to 
bear in mind.

--- Heiko.

More information about the Python-Dev mailing list