On Fri, Jan 20, 2012 at 8:17 AM, Victor Stinner <victor.stinner at haypocalc.com> wrote: >> So I still think we should ditch the paranoia about dictionary order changing, >> and fix this without counting. > > The randomized hash has other issues: > > - its security is based on its secret, whereas it looks to be easy to > compute it (see more details in the issue) > - my patch only changes hash(str), whereas other developers asked me > to patch also bytes, int and other types Changing hash(int) on a bugfix release will cause issues with extensions (gmpy, sage, probably others) that calculate the hash of numerical objects. > > hash(bytes) can be changed. But changing hash(int) may leak easily the > secret. We may use a different secret for each type, but if it is easy > to compute int hash secret, dictionaries using int are still > vulnerable. > > -- > > There is no perfect solutions, drawbacks of each solution should be compared. > > Victor > _______________________________________________ > Python-Dev mailing list > Python-Dev at python.org > http://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: http://mail.python.org/mailman/options/python-dev/casevh%40gmail.com
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4