report at bugs
Apr 11, 2012, 7:41 AM
Post #13 of 35
Charles-François Natali <neologix [at] free> added the comment:
[issue14532] multiprocessing module performs a time-dependent hmac comparison
[In reply to]
> You call it obfuscating, I call it security correctness and developer education. Tomayto, tomahto. ;-)
Well, I'd be prompt to changing to a more robust digest check
algorithm if the current one had a flaw, but AFAICT, it's not the case
(but I'm no security expert).
> Anywho, your call of course, feel free to close.
Being a core Python developer doesn't mean I'm right ;-)
I just don't think that "set an example for other hmac module users"
is a good reason on its own to complicate the code, which is currently
readable and - AFICT - safe (complexity usually introduces bugs).
Furthermore, I somehow doubt that hmac users will go and have a look
at the multiprocessing connection challenge code when looking for an
One thing that could definitely be interesting is to look through the
code base and example to see if a similar - but vulnerable - pattern
is used, and fix such occurrences.
Python tracker <report [at] bugs>
Python-bugs-list mailing list