More info about nondeterminism_added_by_pyqt5_pyrcc5
Ximin Luo
infinity0 at debian.org
Wed Aug 16 12:02:00 UTC 2017
Federico Brega:
> Hello,
>
> I'm packaging an application making use of pyrcc5 and I noticed the
> nondeterminism it adds.
> I see[1] that this is currently description is not correct.
> You can see that pyrcc5 uses QHash, which is made to avoid algorithmic
> complexity attacks[2]
> introducing a randomization.
>
> There are two possible solutions[2]: set the environment variable
> QT_HASH_SEED to a constant value before
> pyrcc5 is called (this is my current workaround) or call qSetGlobalQHashSeed().
>
> I can help with the implementation if needed.
>
> Regards
> --
> Federico
>
> [1] https://tests.reproducible-builds.org/debian/issues/unstable/nondeterminism_added_by_pyqt5_pyrcc5_issue.html
> [2] http://doc.qt.io/qt-5/qhash.html
>
Hi Federico,
It might be safer to subclass QHash into a deterministic QDetHash or something. This would allow one to use QHash both non-deterministically (to protect against DoS attacks) and deterministically in the same program, depending on the use-case.
For example, the rust compiler internally uses a deterministic hash table but offers a non-deterimistic version in its standard library, see https://github.com/rust-lang/rust/issues/34902 for details.
You are setting seed = 0 in a header file. If this is a public header file, then anyone that #includes it would lose protection against those attacks, not just pyrcc.
X
--
GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE
https://github.com/infinity0/pubkeys.git
More information about the Reproducible-builds
mailing list