(original) (raw)

Don't worry, the PYTHONHASHSEED setting does not get recorded in the bytecode header and the generated bytecode (even if it sometimes differs in trivial ways) is usable with all hash seed settings.

--Guido

On Fri, May 12, 2017 at 6:06 AM, Freddy Rietdijk <freddyrietdijk@fridh.nl> wrote:

Hi,

On Nix we set PYTHONHASHSEED to 0 when building packages, disabling hash randomization. We do this to improve determinism of the builds because we store the bytecode next to the code.

When one runs Python directly or via a script PYTHONHASHSEED is not set thus enabling hash randomization. Am I correct when I say that in this case Python still uses the reproducibly build bytecode and, because its now running with a random seed we wouldn't be vulnerable to http://www.ocert.org/advisories/ocert-2011-003.html ? Or would it also try to each time also recompile bytecode?

Kind regards,

Freddy

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: https://mail.python.org/mailman/options/python-dev/guido%40python.org

--Guido van Rossum (python.org/\~guido)