[Python-Dev] plugging the hash attack (original) (raw)
Brett Cannon brett at python.org
Mon Jan 30 18:03:20 CET 2012
- Previous message: [Python-Dev] plugging the hash attack
- Next message: [Python-Dev] plugging the hash attack
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, Jan 27, 2012 at 21:33, Benjamin Peterson <benjamin at python.org>wrote:
2012/1/27 Steven D'Aprano <steve at pearwood.info>: > Benjamin Peterson wrote: >> >> Hello everyone, >> In effort to get a fix out before Perl 6 goes mainstream, Barry and I >> have decided to pronounce on what we want for our stable releases. >> What we have decided is that >> 1. Simple hash randomization is the way to go. We think this has the >> best chance of actually fixing the problem while being fairly >> straightforward such that we're comfortable putting it in a stable >> release. >> 2. It will be off by default in stable releases and enabled by an >> envar at runtime. This will prevent code breakage from dictionary >> order changing as well as people depending on the hash stability. >
Great!
> > Do you have the expectation that it will become on by default in some future > release?
Yes, 3.3. The solution in 3.3 could even be one of the more sophisticated proposals we have today.
I think that would be good. And I would even argue we remove support for turning it off to force people to no longer lean on dict ordering as a crutch (in 3.3 obviously). -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20120130/42c70b81/attachment.html>
- Previous message: [Python-Dev] plugging the hash attack
- Next message: [Python-Dev] plugging the hash attack
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]