[Python-Dev] Hash randomization and deterministic bytecode
Freddy Rietdijk
freddyrietdijk at fridh.nl
Mon May 15 03:05:05 EDT 2017
Thanks for the clarification. I'm glad we can keep hash randomization
disabled during our builds.
On Fri, May 12, 2017 at 5:22 PM, Guido van Rossum <guido at python.org> wrote:
> Don't worry, the PYTHONHASHSEED setting does not get recorded in the
> bytecode header and the generated bytecode (even if it sometimes differs in
> trivial ways) is usable with all hash seed settings.
>
> --Guido
>
> On Fri, May 12, 2017 at 6:06 AM, Freddy Rietdijk <freddyrietdijk at fridh.nl>
> wrote:
>
>> Hi,
>>
>> On Nix we set PYTHONHASHSEED to 0 when building packages, disabling hash
>> randomization. We do this to improve determinism of the builds because we
>> store the bytecode next to the code.
>>
>> When one runs Python directly or via a script PYTHONHASHSEED is not set
>> thus enabling hash randomization. Am I correct when I say that in this case
>> Python still uses the reproducibly build bytecode and, because its now
>> running with a random seed we wouldn't be vulnerable to
>> http://www.ocert.org/advisories/ocert-2011-003.html ? Or would it also
>> try to each time also recompile bytecode?
>>
>> Kind regards,
>>
>> Freddy
>>
>>
>>
>> _______________________________________________
>> Python-Dev mailing list
>> Python-Dev at python.org
>> https://mail.python.org/mailman/listinfo/python-dev
>> Unsubscribe: https://mail.python.org/mailman/options/python-dev/guido%
>> 40python.org
>>
>>
>
>
> --
> --Guido van Rossum (python.org/~guido)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20170515/df24b16d/attachment.html>
More information about the Python-Dev
mailing list