[Python-Dev] Hash collision security issue (now public) (original) (raw)
Toshio Kuratomi a.badger at gmail.com
Thu Jan 5 21:51:50 CET 2012
- Previous message: [Python-Dev] Hash collision security issue (now public)
- Next message: [Python-Dev] Hash collision security issue (now public)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Thu, Jan 05, 2012 at 08:35:57PM +0000, Paul Moore wrote:
On 5 January 2012 19:33, David Malcolm <dmalcolm at redhat.com> wrote: > We have similar issues in RHEL, with the Python versions going much > further back (e.g. 2.3) > > When backporting the fix to ancient python versions, I'm inclined to > turn the change off by default, requiring the change to be enabled via > an environment variable: I want to avoid breaking existing code, even if > such code is technically relying on non-guaranteed behavior. But we > could potentially tweak modpython/modwsgi so that it defaults to on. > That way /usr/bin/python would default to the old behavior, but web apps > would have some protection. Any such logic here also suggests the need > for an attribute in the sys module so that you can verify the behavior.
Uh, surely no-one is suggesting backporting to "ancient" versions? I couldn't find the statement quickly on the python.org website (so this is via google), but isn't it true that 2.6 is in security-only mode and 2.5 and earlier will never get the fix? I think when dmalcolm says "backporting" he means that he'll have to backport the fix from modern, supported-by-python.org python to the ancient python's that he's supporting as part of the Linux distributions where he's the python package maintainer.
I'm thinking he's mentioning it here mainly to see if someone thinks that his approach for those distributions causes anyone to point out a reason not to diverge from upstream in that manner.
Having a source-only release for 2.6 means the fix is "off by default" in the sense that you can choose not to build it. Or add a #ifdef to the source if it really matters. I don't think that this would satisfy dmalcolm's needs. What he's talking about sounds more like a runtime switch (possibly only when initializing, though, not on-the-fly).
-Toshio -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: <http://mail.python.org/pipermail/python-dev/attachments/20120105/4fb3fe66/attachment.pgp>
- Previous message: [Python-Dev] Hash collision security issue (now public)
- Next message: [Python-Dev] Hash collision security issue (now public)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]