From 8c4d7ace88b5bc05b1b770ade86c30f6a6cccc4c Mon Sep 17 00:00:00 2001
From: Chris McDonough <chrism@plope.com>
Date: Sat, 6 Nov 2010 00:42:43 -0400
Subject: i now understand what this does

---
 pyramid/session.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pyramid/session.py b/pyramid/session.py
index bbb08622a..b4bc34a6a 100644
--- a/pyramid/session.py
+++ b/pyramid/session.py
@@ -244,8 +244,8 @@ def signed_deserialize(serialized, secret, hmac=hmac):
 
     sig = hmac.new(secret, pickled, sha1).hexdigest()
 
-    # Avoid timing attacks (note that this is cadged from Pylons and I
-    # have no idea what it means)
+    # Avoid timing attacks (see
+    # http://seb.dbzteam.org/crypto/python-oauth-timing-hmac.pdf)
 
     if len(sig) != len(input_sig):
         raise ValueError('Wrong signature length')
-- 
cgit v1.2.3