Re: CPython hash randomization makes some Python packages unreproducible
On Sat, Apr 9, 2016 at 13:25:39 -0400, Cara wrote:
> I think a better solution is disabling hash randomization by setting
> PYTHONHASHSEED=0 when building Python packages with CPython for Debian,
> probably somewhere in dh-python. Note that this isn't necessary for
> PyPy, which doesn't have hash randomization[7]. Hash randomization was
> implemented to prevent, "[H]ash collisions [being] exploited to DoS a
> web framework that automatically parses input forms into
> dictionaries"[8]. This shouldn't be an issue at build-time, as any
> time CPython is run to read in the files written during the build, hash
> randomization will be enabled again.
>
FWIW I think that's a bad idea. A number of packages run their test
suite at build time, and running the tests with hash randomization
enabled seems to me like something we shouldn't give up. Couldn't
packages where the binary packages contents depend on the hash seed just
set one themselves?
Cheers,
Julien
Reply to: