compileall used the ctime of bytecode and source to determine if the bytecode should be recreated. This created a timing hole. Fixed by just doing what import does; check the mtime and magic number.

commit: 28d108893c5a6663c1747b1c79d0432ba7794e63 [log] [tgz]
author: Brett Cannon <bcannon@gmail.com> Tue Feb 10 02:07:38 2009 +0000
committer: Brett Cannon <bcannon@gmail.com> Tue Feb 10 02:07:38 2009 +0000
tree: 5d1379f9d117b038507be68206d60e541898e718
parent: 322daea7c3ba7fa73b09ebd50a78078d23d318a5 [diff]
diff --git a/Misc/ACKS b/Misc/ACKS
index 4bed872..48d312e 100644
--- a/Misc/ACKS
+++ b/Misc/ACKS

@@ -183,7 +183,7 @@
 Andy Dustman
 Gary Duzan
 Eugene Dvurechenski
-Josip Dzolonga 
+Josip Dzolonga
 Maxim Dzumanenko
 Walter Dörwald
 Hans Eckardt
@@ -233,6 +233,7 @@
 Geoff Furnish
 Ulisses Furquim
 Achim Gaedke
+Martin von Gagern
 Lele Gaifax
 Santiago Gala
 Yitzchak Gale

diff --git a/Misc/NEWS b/Misc/NEWS
index 9003037..cc71e83 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS

@@ -152,6 +152,10 @@
 Library
 -------
 
+- Issue #5128: Make compileall properly inspect bytecode to determine if needs
+  to be recreated. This avoids a timing hole thanks to the old reliance on the
+  ctime of the files involved.
+
 - Issue #5122: Synchronize tk load failure check to prevent a potential
   deadlock.
commit	28d108893c5a6663c1747b1c79d0432ba7794e63	[log] [tgz]
author	Brett Cannon <bcannon@gmail.com>	Tue Feb 10 02:07:38 2009 +0000
committer	Brett Cannon <bcannon@gmail.com>	Tue Feb 10 02:07:38 2009 +0000
tree	5d1379f9d117b038507be68206d60e541898e718
parent	322daea7c3ba7fa73b09ebd50a78078d23d318a5 [diff]