Re: [Python-Dev] hash randomization in 3.3
Brett Cannon writes: I think that's inviting trouble if you can provide the seed. It leads to a false sense of security I thought the point of providing the seed was for reproducability of tests and the like? As for false sense, can't we document this and chalk up hubristic behavior to consenting adults? ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] hash randomization in 3.3
On Feb 22, 2012, at 09:04 PM, Stephen J. Turnbull wrote: Brett Cannon writes: I think that's inviting trouble if you can provide the seed. It leads to a false sense of security I thought the point of providing the seed was for reproducability of tests and the like? As for false sense, can't we document this and chalk up hubristic behavior to consenting adults? +1 -Barry signature.asc Description: PGP signature ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] hash randomization in 3.3
On Wed, 22 Feb 2012 12:59:33 -0500 Barry Warsaw ba...@python.org wrote: On Feb 22, 2012, at 09:04 PM, Stephen J. Turnbull wrote: Brett Cannon writes: I think that's inviting trouble if you can provide the seed. It leads to a false sense of security I thought the point of providing the seed was for reproducability of tests and the like? As for false sense, can't we document this and chalk up hubristic behavior to consenting adults? +1 How is it a false sense of security at all? It's the same as setting a private secret for e.g. session cookies in Web applications. As long as you don't leak the seed, it's (should be) secure. (the only hypothetical issue being with Victor's choice of an LCG pseudo-random generator to generate the secret from the seed) Regards Antoine. ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] hash randomization in 3.3
On 2/22/2012 1:57 AM, Nick Coghlan wrote: In the tracker, someone proposed that the option is necessary to synchronize the seed across processes in a cluster. I'm sure people will use it for that if they can. Yeah, that use case sounds reasonable, too. Another example is that, even within a machine, if two processes are using shared memory rather than serialised IPC, synchronising the hashes may be necessary. The key point is that there *are* valid use cases for forcing a particular seed, so we shouldn't take that ability away. When we document the option to set the seed, we could mention that synchronization of processes that share data is the main intended use. -- Terry Jan Reedy ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] hash randomization in 3.3
Antoine Pitrou writes: How is it a false sense of security at all? It's the same as setting a private secret for e.g. session cookies in Web applications. As long as you don't leak the seed, it's (should be) secure. That's true. The problem is, the precondition that you won't leak the seed is all too often false. If a user takes advantage of the ability to set the seed, she can leak it, or a coworker (or a virus) can steal it from her source or keystroke logging, etc. And it's not the same, at least not for a highly secure application. In high-quality security, session keys are generated for each session (and changed frequently); the user doesn't know them (of course, he can always find out if he really wants to know, and sometimes that's necessary -- Hello, Debian OpenSSH maintainer!), and so can't leak them. ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] hash randomization in 3.3
2012/2/21 Antoine Pitrou solip...@pitrou.net: Hello, Shouldn't it be enabled by default in 3.3? Should you be able to disable it? -- Regards, Benjamin ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] hash randomization in 3.3
On Tue, 21 Feb 2012 14:58:41 -0500 Benjamin Peterson benja...@python.org wrote: 2012/2/21 Antoine Pitrou solip...@pitrou.net: Hello, Shouldn't it be enabled by default in 3.3? Should you be able to disable it? PYTHONHASHSEED=0 should disable it. Do we also need a command-line option? Regards Antoine. ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] hash randomization in 3.3
2012/2/21 Antoine Pitrou solip...@pitrou.net: On Tue, 21 Feb 2012 14:58:41 -0500 Benjamin Peterson benja...@python.org wrote: 2012/2/21 Antoine Pitrou solip...@pitrou.net: Hello, Shouldn't it be enabled by default in 3.3? Should you be able to disable it? PYTHONHASHSEED=0 should disable it. Do we also need a command-line option? I don't think so. I was just wondering if we should force people to use it. -- Regards, Benjamin ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] hash randomization in 3.3
On 2/21/2012 11:58 AM, Benjamin Peterson wrote: 2012/2/21 Antoine Pitrousolip...@pitrou.net: Hello, Shouldn't it be enabled by default in 3.3? Should you be able to disable it? Yes, absolutely. ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] hash randomization in 3.3
On Tue, Feb 21, 2012 at 15:05, Barry Warsaw ba...@python.org wrote: On Feb 21, 2012, at 02:58 PM, Benjamin Peterson wrote: 2012/2/21 Antoine Pitrou solip...@pitrou.net: Hello, Shouldn't it be enabled by default in 3.3? Yes. Should you be able to disable it? No, but you should be able to provide a seed. I think that's inviting trouble if you can provide the seed. It leads to a false sense of security in that providing some seed secures them instead of just making it a tad harder for the attack. And it won't help with keeping compatibility with Python 2.7 installations that don't have randomization turned on by default. If we are going to allow people to turn this off then it should be basically the inverse of the default under Python 2.7 and no more. ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] hash randomization in 3.3
2012/2/21 Antoine Pitrou solip...@pitrou.net: Hello, Shouldn't it be enabled by default in 3.3? I've now enabled it by default in 3.3. -- Regards, Benjamin ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] hash randomization in 3.3
On 2012-02-21, at 21:24 , Brett Cannon wrote: On Tue, Feb 21, 2012 at 15:05, Barry Warsaw ba...@python.org wrote: On Feb 21, 2012, at 02:58 PM, Benjamin Peterson wrote: 2012/2/21 Antoine Pitrou solip...@pitrou.net: Hello, Shouldn't it be enabled by default in 3.3? Yes. Should you be able to disable it? No, but you should be able to provide a seed. I think that's inviting trouble if you can provide the seed. It leads to a false sense of security in that providing some seed secures them instead of just making it a tad harder for the attack. I might have misunderstood something, but wouldn't providing a seed always make it *easier* for the attacker, compared to a randomized hash? ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] hash randomization in 3.3
On Tue, Feb 21, 2012 at 15:58, Xavier Morel python-...@masklinn.net wrote: On 2012-02-21, at 21:24 , Brett Cannon wrote: On Tue, Feb 21, 2012 at 15:05, Barry Warsaw ba...@python.org wrote: On Feb 21, 2012, at 02:58 PM, Benjamin Peterson wrote: 2012/2/21 Antoine Pitrou solip...@pitrou.net: Hello, Shouldn't it be enabled by default in 3.3? Yes. Should you be able to disable it? No, but you should be able to provide a seed. I think that's inviting trouble if you can provide the seed. It leads to a false sense of security in that providing some seed secures them instead of just making it a tad harder for the attack. I might have misunderstood something, but wouldn't providing a seed always make it *easier* for the attacker, compared to a randomized hash? Yes, that was what I was trying to convey. ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] hash randomization in 3.3
On Feb 21, 2012, at 09:58 PM, Xavier Morel wrote: On 2012-02-21, at 21:24 , Brett Cannon wrote: On Tue, Feb 21, 2012 at 15:05, Barry Warsaw ba...@python.org wrote: On Feb 21, 2012, at 02:58 PM, Benjamin Peterson wrote: 2012/2/21 Antoine Pitrou solip...@pitrou.net: Hello, Shouldn't it be enabled by default in 3.3? Yes. Should you be able to disable it? No, but you should be able to provide a seed. I think that's inviting trouble if you can provide the seed. It leads to a false sense of security in that providing some seed secures them instead of just making it a tad harder for the attack. I might have misunderstood something, but wouldn't providing a seed always make it *easier* for the attacker, compared to a randomized hash? I don't think so. You'd have to somehow coerce the sys.hash_seed out of the process. Not impossible perhaps, but unlikely unless the application isn't written well and leaks that information (which is not Python's fault). Plus, with randomization enabled, that won't help you much past the current invocation of Python. -Barry signature.asc Description: PGP signature ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] hash randomization in 3.3
Am 21.02.2012 20:59, schrieb Antoine Pitrou: On Tue, 21 Feb 2012 14:58:41 -0500 Benjamin Peterson benja...@python.org wrote: 2012/2/21 Antoine Pitrou solip...@pitrou.net: Hello, Shouldn't it be enabled by default in 3.3? Should you be able to disable it? PYTHONHASHSEED=0 should disable it. Do we also need a command-line option? On the contrary. PYTHONHASHSEED should go in 3.3, as should any facility to disable or otherwise fix the seed. Regards, martin ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] hash randomization in 3.3
Should you be able to disable it? No, but you should be able to provide a seed. Why exactly is that? We should take an attitude that Python hash values are completely arbitrary and can change at any point without notice. The only strict requirement should be that hashing must be consistent with equality; everything else should be an implementation detail. With that attitude, supporting explicit seeds is counter-productive. Regards, Martin ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] hash randomization in 3.3
On Tue, 21 Feb 2012 22:51:48 +0100 Martin v. Löwis mar...@v.loewis.de wrote: Am 21.02.2012 20:59, schrieb Antoine Pitrou: On Tue, 21 Feb 2012 14:58:41 -0500 Benjamin Peterson benja...@python.org wrote: 2012/2/21 Antoine Pitrou solip...@pitrou.net: Hello, Shouldn't it be enabled by default in 3.3? Should you be able to disable it? PYTHONHASHSEED=0 should disable it. Do we also need a command-line option? On the contrary. PYTHONHASHSEED should go in 3.3, as should any facility to disable or otherwise fix the seed. Being able to reproduce exact output is useful to chase sporadic test failures (as with the --randseed option to regrtest). Regards Antoine. ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] hash randomization in 3.3
On Wed, Feb 22, 2012 at 8:07 AM, Antoine Pitrou solip...@pitrou.net wrote: On Tue, 21 Feb 2012 22:51:48 +0100 Martin v. Löwis mar...@v.loewis.de wrote: On the contrary. PYTHONHASHSEED should go in 3.3, as should any facility to disable or otherwise fix the seed. Being able to reproduce exact output is useful to chase sporadic test failures (as with the --randseed option to regrtest). I'm with Antoine here - being able to force a particular seed still matters for testing purposes. However, the documentation of the option may need to be updated for 3.3 to emphasise that it should only be used to reproduce sporadic failures. Using it to work around applications that can't cope with randomised hashes would be rather ill-advised. Cheers, Nick. -- Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] hash randomization in 3.3
I'm with Antoine here - being able to force a particular seed still matters for testing purposes. However, the documentation of the option may need to be updated for 3.3 to emphasise that it should only be used to reproduce sporadic failures. Using it to work around applications that can't cope with randomised hashes would be rather ill-advised. In the tracker, someone proposed that the option is necessary to synchronize the seed across processes in a cluster. I'm sure people will use it for that if they can. Regards, Martin ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] hash randomization in 3.3
On Wed, Feb 22, 2012 at 3:20 PM, mar...@v.loewis.de wrote: I'm with Antoine here - being able to force a particular seed still matters for testing purposes. However, the documentation of the option may need to be updated for 3.3 to emphasise that it should only be used to reproduce sporadic failures. Using it to work around applications that can't cope with randomised hashes would be rather ill-advised. In the tracker, someone proposed that the option is necessary to synchronize the seed across processes in a cluster. I'm sure people will use it for that if they can. Yeah, that use case sounds reasonable, too. Another example is that, even within a machine, if two processes are using shared memory rather than serialised IPC, synchronising the hashes may be necessary. The key point is that there *are* valid use cases for forcing a particular seed, so we shouldn't take that ability away. Cheers, Nick. -- Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com