[Python-Dev] plugging the hash attack
martin at v.loewis.de
martin at v.loewis.de
Sat Jan 28 02:49:26 CET 2012
> 1. Simple hash randomization is the way to go. We think this has the
> best chance of actually fixing the problem while being fairly
> straightforward such that we're comfortable putting it in a stable
> release.
> 2. It will be off by default in stable releases and enabled by an
> envar at runtime. This will prevent code breakage from dictionary
> order changing as well as people depending on the hash stability.
I think this is a good compromise given the widely varying assessments
of the issue.
Regards,
Martin
More information about the Python-Dev
mailing list