scipy.weave.inline and Microsoft Visual C++: Generated filenames are too long.

[vanpact]

The function inline() from scipy.weave store temporarily the compiled files with a filename consisting mainly of a sha256 hash. However Microsoft Visual C++ supports only filename of less than 258 characters including the extension for compilation. Hence the compilation fail. ( https://visualstudio.uservoice.com/forums/121579-visual-studio/suggestions/2156195-fix-260-character-file-name-length-limitation ).

I can think of two easy solutions to fix the problem:

1. Trunk the hash by changin the line
   catalog.py:95: return base + sha256(expr).hexdigest()
   to: return base + sha256(expr).hexdigest()[:100]

2. Use another hash (md5?sha-1?sha-224?sha-3 224bits?)

[rgommers]

Hmm not good. Using sha-224 looks a little cleaner than truncation the output of sha-256, but whatever works I guess. @pv @TomasTomecek any preference for a solution?

[TomasTomecek]

I was talking to some security guys and they are fine with truncating those hashes (I'm not really a security person, wasn't sure about collisions and stuff).

I'm also fine with sha-224 since it's FIPS approved: link to pdf

[pv]

Let's just truncate the hash in the file names to a sane length (the same length for all platforms so that we avoid an unnecessary platform dependency).

[vanpact]

This post might help you to make your choice: https://crypto.stackexchange.com/questions/3153/sha-256-vs-any-256-bits-of-sha-512-which-is-more-secure

[juliantaylor]

no security evaluations need to be made here, the reason this was changed is to silence a bogus warning on fips pedantic systems about the mere use of md5.
md5 is sufficient as a hash key as used in this context, it is not a digital signature nor encryption.

as sha256 is a cryptographic hash it should be uniform in its distribution so we are free to truncate as much as we see fit to have acceptable low collisions.

[rgommers]

Fix in gh-3232.