This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author vstinner
Recipients Mark.Shannon, christian.heimes, erlendaasland, gvanrossum, lemburg, methane, rhettinger, serhiy.storchaka, vstinner
Date 2021-10-07.09:07:32
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
"1.67 us +- 0.03 us: 1.78x faster" with a bytes string of 6k bytes sounds worth it to me.

When we talk about "security" here, we are talking about a denial of service attack on the dict worst case performance:

I know that it's not a popular opinion, but I don't think that this denial of service (DoS) is important. IMO there are enough other ways to crash a server. Moreover, the initial attack vector was a HTTP request with tons of header lines. In the meanwhile, the Python http module was modified to put arbitrary limits on the number of HTTP headers and the maximum length of a single HTTP header.

It's nice to limit the risk of a DoS, but I don't think that we should go too far. If it worked for Rust and Ruby, SipHash-1-3 should be good as well for Python.

I expect even more interesting speedup with bytes string longer than 6k bytes. And I'm quite sure that it's common that people manipulates long strings in Python :-)

I retarget this change to Python 3.11. Please don't backport it since it changes the Python build system (configure options).
Date User Action Args
2021-10-07 09:07:32vstinnersetrecipients: + vstinner, lemburg, gvanrossum, rhettinger, christian.heimes, methane, Mark.Shannon, serhiy.storchaka, erlendaasland
2021-10-07 09:07:32vstinnersetmessageid: <>
2021-10-07 09:07:32vstinnerlinkissue29410 messages
2021-10-07 09:07:32vstinnercreate