-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Cython fails to build code on FIPS-enabled systems #2790
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
(rolling eyes) … I wonder what the problem is that people have with MD5 for non-cryptographic use cases… In case others are interested, FIPS is some certification standard from the USA: https://en.wikipedia.org/wiki/FIPS_140-2 MD5 is actually in the list of guaranteed algorithms (Py3.7): >>> import hashlib
>>> hashlib.algorithms_guaranteed
{'sha3_224', 'sha3_384', 'shake_256', 'shake_128', 'sha256', 'sha1', 'sha384', 'sha512', 'blake2b', 'sha3_512', 'md5', 'blake2s', 'sha224', 'sha3_256'} What hashes are available in your environment? SHA-1? I know, that's considered broken, too, but it's the fastest I have on my side, about twice as fast for me as SHA-256 (and actually a bit faster than MD-5). Funny enough, even SHA-512 is faster than SHA-256 for me. Might be a 64bit optimisation thing. Also note that this only regards the Cython compiler itself. Cython generated modules are not impacted by this and should work just fine on a FIPS system. |
I changed the file fingerprinting to SHA-1 for 3.0. Thanks for the report. |
Related (or possibly same) failure discussed here: https://bugzilla.redhat.com/show_bug.cgi?id=984445 @scoder What did you do to change the file fingerprinting and (presumably) successfully compile? tag @hellkite500 |
Presumably f00af64? |
@jameshalgren da-woods beat me to it: Looking at the git-blame this looks like the commit f00af64 changed the hash algorithm. Since this isn't in the released version, you can either try to patch yourself, or pull and install from head or some other candidate that has this change, i.e. this alpha release |
Cython crashes when it attempts to compile code on an FIPS-enabled system, because the md5 hashlib is disabled, as you can see in the log excerpt below (emphasis on the key error message mine):
` ------------------------------------------------------------
`
Is there a way to tell Cython to use an alternate hashlib, such as sha256? If not, there needs to be, because as it stands, no python package that requires Cython compiles can be built on any FIPS-enabled system. This is a serious, show-stopping problem.
The text was updated successfully, but these errors were encountered: