[Python-Dev] Python startup time
Antoine Pitrou
antoine at python.org
Mon May 14 13:17:32 EDT 2018
Le 14/05/2018 à 19:12, INADA Naoki a écrit :
> I'm sorry, the word *will* may be stronger than I thought.
>
> I meant if memory image dumped on disk is used casually,
> it may make easier to make security hole.
>
> For example, if `hg` memory image is reused, and it can be leaked in some
> way,
> hg serve will be hashdos weak.
This discussion subthread is not about having a memory image dumped on
disk, but a daemon utility that preloads a new Python process when you
first start up your CLI application. Each time a new process is
preloaded, it will by construction use a new hash seed.
(by contrast, the Node.js CVE issue you linked to is about having the
same hash seed accross a Node.js version; that's disastrous)
Also you add a reuse limit to ensure that the hash seed is rotated (e.g.
every 100 invocations).
Regards
Antoine.
More information about the Python-Dev
mailing list