Skip to content

Check MD5 & SHA1 usage#8542

Merged
chrisburr merged 1 commit into
DIRACGrid:integrationfrom
sfayer:mark_hashlib
May 22, 2026
Merged

Check MD5 & SHA1 usage#8542
chrisburr merged 1 commit into
DIRACGrid:integrationfrom
sfayer:mark_hashlib

Conversation

@sfayer
Copy link
Copy Markdown
Member

@sfayer sfayer commented May 19, 2026

Hi,

I've looked through all of the usage of MD5 & SHA1 in the codebase... The majority of these are just protection for accidental corruption and caching (where the input parameters aren't user controlled). I've marked these as usedforsecurity=False. (This flag doesn't do anything on non-FIPS systems, but is picked up by security scanners as a hint).

There is one place in the proxy cache where I swapped md5 out for truncated sha256: This doesn't make an enormous amount of difference and is more an "abundance of caution" style change.

Regards,
Simon

BEGINRELEASENOTES
*All
FIX: Mark md5/sha1 usage as not used for security where appropriate.
*Core
FIX: Use truncated sha256 for proxy hash (caching) rather than md5.
ENDRELEASENOTES

@chrisburr chrisburr merged commit 3d7bc21 into DIRACGrid:integration May 22, 2026
23 checks passed
@DIRACGridBot DIRACGridBot added the sweep:ignore Prevent sweeping from being ran for this PR label May 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fstagni fstagni Awaiting requested review from fstagni fstagni is a code owner

@chaen chaen Awaiting requested review from chaen chaen is a code owner

@andresailer andresailer Awaiting requested review from andresailer andresailer is a code owner

@atsareg atsareg Awaiting requested review from atsareg atsareg is a code owner

Assignees

No one assigned

Labels

sweep:ignore Prevent sweeping from being ran for this PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sfayer @chrisburr @aldbr @DIRACGridBot