Path: csiph.com!feeder.erje.net!2.us.feeder.erje.net!newsfeed.fsmpi.rwth-aachen.de!newsfeed.straub-nv.de!news.mixmin.net!aioe.org!bofh.it!news.nic.it!robomod From: Julien Cristau Newsgroups: linux.debian.maint.python Subject: Re: CPython hash randomization makes some Python packages unreproducible Date: Sat, 09 Apr 2016 20:20:02 +0200 Message-ID: References: X-Original-To: Cara X-Mailbox-Line: From debian-python-request@lists.debian.org Sat Apr 9 18:12:03 2016 Old-Return-Path: X-Amavis-Spam-Status: No, score=-7.895 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, FOURLA=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, LDO_WHITELIST=-5, RP_MATCHES_RCVD=-0.996] autolearn=ham autolearn_force=no MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Operating-System: Linux 4.4.0-1-amd64 x86_64 User-Agent: Mutt/1.5.24 (2015-08-30) X-Mailing-List: archive/latest/13736 List-ID: List-URL: List-Archive: https://lists.debian.org/msgid-search/20160409181140.GD2889@betterave.cristau.org Approved: robomod@news.nic.it Lines: 20 Organization: linux.* mail to news gateway Sender: robomod@news.nic.it X-Original-Cc: debian-python@lists.debian.org X-Original-Date: Sat, 9 Apr 2016 20:11:40 +0200 X-Original-Message-ID: <20160409181140.GD2889@betterave.cristau.org> X-Original-References: <1460222739.5012.44.camel@gmail.com> Xref: csiph.com linux.debian.maint.python:8409 On Sat, Apr 9, 2016 at 13:25:39 -0400, Cara wrote: > I think a better solution is disabling hash randomization by setting > PYTHONHASHSEED=0 when building Python packages with CPython for Debian, > probably somewhere in dh-python. Note that this isn't necessary for > PyPy, which doesn't have hash randomization[7]. Hash randomization was > implemented to prevent, "[H]ash collisions [being] exploited to DoS a > web framework that automatically parses input forms into > dictionaries"[8]. This shouldn't be an issue at build-time, as any > time CPython is run to read in the files written during the build, hash > randomization will be enabled again. > FWIW I think that's a bad idea. A number of packages run their test suite at build time, and running the tests with hash randomization enabled seems to me like something we shouldn't give up. Couldn't packages where the binary packages contents depend on the hash seed just set one themselves? Cheers, Julien