On Mon, Mar 20, 2017 at 11:30:59AM +0000, Robin Becker wrote: > thanks for this; it seems the emphasis is on security. If the intent is that > reportlab should be able to reliably reproduce the same binary output then I > think I need to do more than just fix a couple of dates. We use many > dictionary like objects to produce PDF and I am not sure all are sorted by > key during output.
I'm sure the reproducible builds folks will send you patches if they find any spots that you missed. ;-) > Is there a way to excite dictionary ordering changes? I believe there was > some way to modify the hashing introduced when the dos dictionary attacks > were an issue. Would it be sufficient to generate documents with say Python > 2.7 and check against 3.6? Python 3.6 changed the dict implementation so the ordering is always stable (and matches insertion order). You'll want to test with Python 3.5, which perturbs the dict ordering randomly, as a side effect of the randomized string/bytes hashes (unless you fix it by setting the PYTHONHASHSEED environment variable[*]) [*] https://docs.python.org/3.3/using/cmdline.html#envvar-PYTHONHASHSEED Regards, Marius Gedminas -- Yes, always begin work on inherited code by removing comments. Even if they were maintained (they are not) they are natural language written by engineers who cannot be understood ordering coffee in a diner. Getting back to comments not being maintained, my saying on that one is, "Comments do not run." -- Kenny Tilton
signature.asc
Description: PGP signature
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
