[Python-Dev] plugging the hash attack

Gregory P. Smith greg at krypto.org
Sun Jan 29 22:26:06 CET 2012


On Fri, Jan 27, 2012 at 6:33 PM, Benjamin Peterson <benjamin at python.org> wrote:
> 2012/1/27 Steven D'Aprano <steve at pearwood.info>:
>> Benjamin Peterson wrote:
>>>
>>> Hello everyone,
>>> In effort to get a fix out before Perl 6 goes mainstream, Barry and I
>>> have decided to pronounce on what we want for our stable releases.
>>> What we have decided is that
>>> 1. Simple hash randomization is the way to go. We think this has the
>>> best chance of actually fixing the problem while being fairly
>>> straightforward such that we're comfortable putting it in a stable
>>> release.
>>> 2. It will be off by default in stable releases and enabled by an
>>> envar at runtime. This will prevent code breakage from dictionary
>>> order changing as well as people depending on the hash stability.
>>
>>
>> Do you have the expectation that it will become on by default in some future
>> release?
>
> Yes, 3.3. The solution in 3.3 could even be one of the more
> sophisticated proposals we have today.

Yay!  Thanks for the decision Release Managers!

-gps


More information about the Python-Dev mailing list