Federico Brega: > Hello, > > I'm packaging an application making use of pyrcc5 and I noticed the > nondeterminism it adds. > I see[1] that this is currently description is not correct. > You can see that pyrcc5 uses QHash, which is made to avoid algorithmic > complexity attacks[2] > introducing a randomization. > > There are two possible solutions[2]: set the environment variable > QT_HASH_SEED to a constant value before > pyrcc5 is called (this is my current workaround) or call > qSetGlobalQHashSeed(). > > I can help with the implementation if needed. > > Regards > -- > Federico > > [1] > https://tests.reproducible-builds.org/debian/issues/unstable/nondeterminism_added_by_pyqt5_pyrcc5_issue.html > [2] http://doc.qt.io/qt-5/qhash.html >
Hi Federico, It might be safer to subclass QHash into a deterministic QDetHash or something. This would allow one to use QHash both non-deterministically (to protect against DoS attacks) and deterministically in the same program, depending on the use-case. For example, the rust compiler internally uses a deterministic hash table but offers a non-deterimistic version in its standard library, see https://github.com/rust-lang/rust/issues/34902 for details. You are setting seed = 0 in a header file. If this is a public header file, then anyone that #includes it would lose protection against those attacks, not just pyrcc. X -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE https://github.com/infinity0/pubkeys.git