Le 14/05/2018 à 19:12, INADA Naoki a écrit : > I'm sorry, the word *will* may be stronger than I thought. > > I meant if memory image dumped on disk is used casually, > it may make easier to make security hole. > > For example, if `hg` memory image is reused, and it can be leaked in some > way, > hg serve will be hashdos weak.
This discussion subthread is not about having a memory image dumped on disk, but a daemon utility that preloads a new Python process when you first start up your CLI application. Each time a new process is preloaded, it will by construction use a new hash seed. (by contrast, the Node.js CVE issue you linked to is about having the same hash seed accross a Node.js version; that's disastrous) Also you add a reuse limit to ensure that the hash seed is rotated (e.g. every 100 invocations). Regards Antoine. _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
