indicate md5 checksum is not used for security #5717
Conversation
💊 CI failures summary and remediationsAs of commit 402270b (more details on the Dr. CI page): 💚 💚 Looks good so far! There are no failures yet. 💚 💚 This comment was automatically generated by Dr. CI (expand for details).Please report bugs/suggestions to the (internal) Dr. CI Users group. |
|
Thanks @pmeier , I guess I'm missing some context but I'm a little unsure about the need for this change, or even about the utility of such parameter. As developers we just have to set |
There was a problem hiding this comment.
I'll approve, but I don't undestand how this usedforsecurity parameter will prevent any sort of security issue. If our code was indeed used for security, there is absolutely nothing that prevents us from setting usedforsecurity=False, and downstream FIPS system will happily run it? I'm not sure what the goal is, but I hope I'm completely missing the point.
As discussed offline, it'd be useful to add a comment with a link to this PR, with more context.
I don't think you are, but this shouldn't be our concern. I agree, the design of the flag is dubious at best. But we are a good faith actor here. The annotation is correct: we are not using the MD5 checksum for security (read cryptography). Thus, it is on the user to evaluate if they trust the libraries to set this flag correctly. Worst case, the environment flat out forbids MD5 checksum and we are back at the situation we had before. If however the environment accepts the annotation (like FIPS seems to do), we enable users to use |
I'm sorry, it is our concern. You and I have spent time on this thing. We're adding maintenance burden with this PR |
Summary: * indicate md5 checksum is not used for security * add explanation Reviewed By: NicolasHug Differential Revision: D35393171 fbshipit-source-id: 2e1a573d89dbeb8bbfee25e871b2c4d333835eb3
Fixes #4102 (comment).
This does not change the functionality in any way, but allows the use of our datasets on FIPS compliant systems that use Python >= 3.9.