-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Victor,
On 01/19/2012 05:48 PM, Victor Stinner wrote: [snip] > Using a randomized hash may > also break (indirectly) real applications because the application > output is also somehow "randomized". For example, in the Django test > suite, the HTML output is different at each run. Web browsers may > render the web page differently, or crash, or ... I don't think that > Django would like to sort attributes of each HTML tag, just because we > wanted to fix a vulnerability. I'm a Django core developer, and if it is true that our test-suite has a dictionary-ordering dependency that is expressed via HTML attribute ordering, I consider that a bug and would like to fix it. I'd be grateful for, not resentful of, a change in CPython that revealed the bug and prompted us to fix it. (I presume that it is true, as it sounds like you experienced it directly; I don't have time to play around at the moment, but I'm surprised we haven't seen bug reports about it from users of 64-bit Pythons long ago). I can't speak for the core team, but I doubt there would be much disagreement on this point: ideally Django would run equally well on any implementation of Python, and as far as I know none of the alternative implementations guarantee hash or dict-ordering compatibility with CPython. I don't have the expertise to speak otherwise to the alternatives for fixing the collisions vulnerability, but I don't believe it's accurate to presume that Django would not want to fix a dict-ordering dependency, and use that as a justification for one approach over another. Carl -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8Y83oACgkQ8W4rlRKtE2cNawCg5q/p1+OOKFYDymDJGoClBBlg WNAAn3xevD+0CqAQ+mFNHCBhtLgw8IYv =HDOh -----END PGP SIGNATURE----- _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
