Message 350692 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	vstinner
Recipients	Arfrever, christian.heimes, loewis, ncoghlan, pitrou, rhettinger, vstinner
Date	2019-08-28.22:19:42
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1567030783.37.0.00510592948716.issue15206@roundup.psfhosted.org>
In-reply-to

Content
I close the issue. Python 3.7 and newer are fixed. Python 2.7 is still affected, but I consider that it's ok to leave the bug unfixed in this version. -- > The random number generator now reseeds after a fork. I confirm that it's done since Python 3.7, and Python 3.6 doesn't accept bugfixes anymore (only security fixes). So the issue is fixed in Python 3.7, 3.8 and master. For the record, the fix was this change: commit 346cbd351ee0dd3ab9cb9f0e4cb625556707877e Author: Antoine Pitrou <pitrou@free.fr> Date: Sat May 27 17:50:54 2017 +0200 bpo-16500: Allow registering at-fork handlers (#1715) Backporting this change to Python 3.6 and 3.5 would be too intrusive and risky. I don't think that this bug is important enough to be qualified as security vulnerability (the issue type is not "Security"). For Python 2.7, honestly, I don't think that the issue matters enough to justify to fix it today, knowning that Python 2.7 will reach its end of life at the end of the year. Moreover, apart Christian Heimes, no user ever complained about this issue. Note: uuid.uuid4() always used os.urandom(16) which is not affected by this issue on fork. Only uuid.uuid1() and uuid.getnode() has the bug in Python 2.7.

I close the issue. Python 3.7 and newer are fixed. Python 2.7 is still affected, but I consider that it's ok to leave the bug unfixed in this version.

--

> The random number generator now reseeds after a fork.

I confirm that it's done since Python 3.7, and Python 3.6 doesn't accept bugfixes anymore (only security fixes). So the issue is fixed in Python 3.7, 3.8 and master. For the record, the fix was this change:

commit 346cbd351ee0dd3ab9cb9f0e4cb625556707877e
Author: Antoine Pitrou <pitrou@free.fr>
Date:   Sat May 27 17:50:54 2017 +0200

    bpo-16500: Allow registering at-fork handlers (#1715)

Backporting this change to Python 3.6 and 3.5 would be too intrusive and risky. I don't think that this bug is important enough to be qualified as security vulnerability (the issue type is not "Security").


For Python 2.7, honestly, I don't think that the issue matters enough to justify to fix it today, knowning that Python 2.7 will reach its end of life at the end of the year. Moreover, apart Christian Heimes, no user ever complained about this issue.


Note: uuid.uuid4() always used os.urandom(16) which is not affected by this issue on fork. Only uuid.uuid1() and uuid.getnode() has the bug in Python 2.7.

History
Date	User	Action	Args
2019-08-28 22:19:43	vstinner	set	recipients: + vstinner, loewis, rhettinger, ncoghlan, pitrou, christian.heimes, Arfrever
2019-08-28 22:19:43	vstinner	set	messageid: <1567030783.37.0.00510592948716.issue15206@roundup.psfhosted.org>
2019-08-28 22:19:43	vstinner	link	issue15206 messages
2019-08-28 22:19:42	vstinner	create