[Python-Dev] Counting collisions for the win (original) (raw)
Barry Warsaw barry at python.org
Fri Jan 20 14:17:05 CET 2012
- Previous message: [Python-Dev] Counting collisions for the win
- Next message: [Python-Dev] Counting collisions for the win
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Jan 20, 2012, at 03:18 PM, Nick Coghlan wrote:
On Fri, Jan 20, 2012 at 2:54 PM, Carl Meyer <carl at oddbird.net> wrote:
I don't have the expertise to speak otherwise to the alternatives for fixing the collisions vulnerability, but I don't believe it's accurate to presume that Django would not want to fix a dict-ordering dependency, and use that as a justification for one approach over another. It's more a matter of wanting deployment of a security fix to be as painless as possible - a security fix that system administrators can't deploy because it breaks critical applications may as well not exist.
True, but collision counting is worse IMO. It's just as likely (maybe) that an application would start getting new exceptions on dictionary insertion, as they would failures due to dictionary order changes. Unfortunately, in the former case it's because Python just added a new public API in a security release (the new exception is public API). In the latter case, no new API was added, but something exposed an already existing bug in the application. That's still a bug in the application even if counting was added. It's also a bug that any number of changes in the environment, or OS vendor deployment, could have triggered.
-1 for collision counting.
-Barry
- Previous message: [Python-Dev] Counting collisions for the win
- Next message: [Python-Dev] Counting collisions for the win
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]