[Python-Dev] plugging the hash attack

Benjamin Peterson benjamin at python.org
Sat Jan 28 03:33:57 CET 2012

2012/1/27 Steven D'Aprano <steve at pearwood.info>:
> Benjamin Peterson wrote:
>> Hello everyone,
>> In effort to get a fix out before Perl 6 goes mainstream, Barry and I
>> have decided to pronounce on what we want for our stable releases.
>> What we have decided is that
>> 1. Simple hash randomization is the way to go. We think this has the
>> best chance of actually fixing the problem while being fairly
>> straightforward such that we're comfortable putting it in a stable
>> release.
>> 2. It will be off by default in stable releases and enabled by an
>> envar at runtime. This will prevent code breakage from dictionary
>> order changing as well as people depending on the hash stability.
> Do you have the expectation that it will become on by default in some future
> release?

Yes, 3.3. The solution in 3.3 could even be one of the more
sophisticated proposals we have today.


More information about the Python-Dev mailing list