Hi Ximin, > It might be safer to subclass QHash into a deterministic QDetHash or > something. This would allow one to use QHash both non-deterministically (to > protect against DoS attacks) and deterministically in the same program, > depending on the use-case. > > For example, the rust compiler internally uses a deterministic hash table but > offers a non-deterimistic version in its standard library, see > https://github.com/rust-lang/rust/issues/34902 for details. This is the perfect for upstream bug, a debian patch would be tool large, and nor really robust.
> You are setting seed = 0 in a header file. If this is a public header file, > then anyone that #includes it would lose protection against those attacks, > not just pyrcc. My understanding was that rcc.h is a private header, which is only included by the python module pyrcc which is also private, and can be used only within PyQt. The only alternative I can implement is changing the shell wrapper (pyrcc5) that calls python3, the QT_HASH_SEED variable can be set in this wrapper, so it is clear than only pyrcc can be affected. For sure any upstream solution is better then a debian patch. -- Federico _______________________________________________ Python-modules-team mailing list Python-modules-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
