On Tue, Feb 25, 2014 at 5:22 PM, Barry Warsaw <ba...@python.org> wrote: > On Feb 25, 2014, at 03:03 PM, Maciej Fijalkowski wrote: > >>Oh, I thought security fixes go to all python releases. > > Well, not the EOL'd ones of course.
yes of course sorry. > > Where's the analysis on backporting SIPHash to older Python versions? Would > such a backport break backward compatibility? What other impacts would > backporting have? Would it break pickles, marshals, or other serialization > protocols? Are there performance penalties? > > While security should be a top priority, it isn't the only consideration in > such cases. A *lot* of discussion went into how to effect the hash > randomization in Python 2.7, because of questions like these. The same > analysis would have to be done for backporting this change to active older > Python versions. My impression is that a lot of discussion went into hash randomization, because it was a high profile issue. It got "fixed", then later someone discovered that the fix is completely broken and was left at that without much discussion because it's no longer "high visibility". I would really *like* to perceive this process as a lot of discussion going into because of ramification of changes. Cheers, fijal _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
