I am not sure about making it default. The problem with something like mod_wsgi is it is actually very hard to ever change the existing defaults, even if a new feature could be better.
This is because you simply can't risk upsetting existing users code in ways they don't expect. The need to stay with defaults is therefore a pain at times, because we know people don't read documentation and so work out that they should turn on optional features for better performance, stability, security etc. I might be prepared to break with that, but only if Python 3.X since not as many people would be using mod_wsgi there. IOW, off by default for Python 2.X and on by default for 3.X, but even that carries risk as people will eventually port code across and find problems then. Graham On 2 March 2012 08:59, Luke Macken <[email protected]> wrote: > Hello, > > As of 2.6.8, 2.7.3 and 3.2.3, Python supports hash seed randomization. See > http://bugs.python.org/issue13703 for details. > > It's off by default, except in 3.3+, and can be enabled via the > PYTHONHASHSEED=random environment variable, the -R command-line flag, or by > flipping the Py_HashRandomizationFlag flag in C before Python is initialized. > > Since we cannot alter the os.environ via Apache directives, like SetEnv, I > thought it would make sense to make a mod_wsgi configuration option for this. > > Attached is a patch that adds a WSGIHashRandomization configuration directive. > > I tested the patch and can confirm that `sys.flags.hash_randomization` > reflects > that it is getting properly enabled in my application. > > Right now the patch enables this feature by default, if it's available. This > behavior is obviously up for discussion, as it may break code that makes > assumptions about dictionary ordering and such (as seen in some stdlib unit > tests that broke). However, for security purposes, I think everyone will want > this feature turned on by default. > > Cheers, > > luke -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en.
