Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider removing or making MD5 optional #1384

Closed
simo5 opened this issue Jul 30, 2019 · 10 comments · Fixed by #1385
Closed

Consider removing or making MD5 optional #1384

simo5 opened this issue Jul 30, 2019 · 10 comments · Fixed by #1385

Comments

@simo5
Copy link

@simo5 simo5 commented Jul 30, 2019

Hello,
recently I have been investigating an issue running some tests with Tox on a system configured in FIPS mode.
The tests failed immediately because Tox seem to be using MD5 which is a forbidden hash in FIPS mode as it is considered truly broken.

Given tox already has support for generating a SHA-256 Hash, I was wondering if you could consider either removing the use of MD5 completely or simply making it optional.

That would make it possible to run tests for components like python-cryptography in FIPS mode which is currently blocked on tox and would be really useful in many settings where use of FIPS mode is mandatory in general.

I've found 2 usages of md5 in tox:


base_resolved_python_md5=getdigest(sys.executable),

This seems selfcontained and possibly replacable by:

base_resolved_python_sha256=getdigest(sys.executable, hashtype="sha256")

"md5": installpkg.computehash("md5"),

Here the md5 hash is computed togteher with sha256 and maybe it can be omitted entirely or made optional (if MD5 initialization raises an exception, you skip it).


Would you accept a pull request?

@asottile
Copy link
Member

@asottile asottile commented Jul 30, 2019

Seems we could pretty easily switch all of those to be sha256 or some other equivalent hash, it currently gets written into the .tox-config1 marker file in the created environment

for instance:

$ cat /home/asottile/workspace/tox/.tox/pypy3/.tox-config1 
7c85d37487b1dd9996ce400baa8b50da /home/asottile/bin/pypy3
3.13.2 0 0 0
00000000000000000000000000000000 pip == 19.1.1

(another note: looks like the "package" digest isn't used at all -- always 00000...)

@gaborbernat
Copy link
Member

@gaborbernat gaborbernat commented Jul 30, 2019

@asottile I'm actually reworking this inside the rewrite, so that should solve it, but in the meantime, we can solve it here too 👍

@simo5
Copy link
Author

@simo5 simo5 commented Jul 30, 2019

CCing @hroncok

@asottile
Copy link
Member

@asottile asottile commented Jul 30, 2019

I took a stab in #1385

@simo5
Copy link
Author

@simo5 simo5 commented Jul 31, 2019

Thanks a lot guys, you rock!

@hroncok
Copy link
Contributor

@hroncok hroncok commented Jul 31, 2019

@simo5 Do you need a Fedora backport?

@simo5
Copy link
Author

@simo5 simo5 commented Jul 31, 2019

@hroncok it would be nice but not urgent, RHEL would be nice too.

@hroncok
Copy link
Contributor

@hroncok hroncok commented Jul 31, 2019

@hroncok it would be nice but not urgent

In that case, it will be shipped with next update.

RHEL would be nice too.

I'm afraid I don't know anything about tox in RHEL, you would probably need to open a bugzilla.

@gaborbernat
Copy link
Member

@gaborbernat gaborbernat commented Jul 31, 2019

@vstinner might be able to point you in the right direction 😃

@vstinner
Copy link

@vstinner vstinner commented Aug 1, 2019

(Sorry to spam the tox bug tracker!)

I'm afraid I don't know anything about tox in RHEL, you would probably need to open a bugzilla.

As Miro wrote, for Fedora and/or RHEL, it's better to open a request at https://bugzilla.redhat.com/

@tox-dev tox-dev locked and limited conversation to collaborators Jan 14, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

5 participants