New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace md5() with sha256() for hashing #265
Conversation
For FIPS[0] related installation, the MD5 modules are unavailable, to the tune of md5() raising an exception. Using sha256() from the same hashlib passes the same `make test` and is now FIPS compliant. [0] http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm
Nice, thank you. I'm concerned about backwards compatibility though, I know of some users who are checking for those md5 extractions using regex during the pre and post processing callbacks in this library. This may have to go in before a major version bump. |
Understood. We use (and rely on) semver as well. Do you by chance have a major release slated/in the works? |
No major releases planned but it could be done. |
I'd hate to chew up your major version space just for this one change, but we'll have to fork until it's released. Because this loads as a part of another packages setup_requirement, we can't avoid the code path (we run down it just by installing our requirements). Keep me posted here on what you decide. Thanks! |
Will do. The md5 stuff isn't really something that is exposed as a public interface to this package, so it wouldn't be terrible if we just landed this as a patch version. I know of only one downstream interacting with it directly. |
cc @trentm curious on your thoughts |
@shaunbrady another thought i'm having is to just keep the Basically:
Thoughts? |
@nicholasserra Hm, seems a little odd, but I understand the angle (backwards compatibility). Maybe take out the silliness in a future major release? I'm fine wiht it; if you say go, I'll code/test this up and make another PR. |
Definitely odd, but it's an internal hash basically, so as long as it's commented I think it's fine. You can push another commit to this branch and the PR will update accordingly :) Thanks! |
While sha256 can be used, the textual output is used in various places. Output needs truncated to 32 characters. See: #265
Updated. Note, for a few seconds there, this branch had two commits that were for our internal fork. They aren't sensitive, but I wouldn't commit them if you happened to see them. If fixed it so it should look like a normal pull now. |
Looks good to me, thank you for this patch and the collaboration :) |
For FIPS[0] related installation, the MD5 modules are unavailable, to
the tune of md5() raising an exception. Using sha256() from the same
hashlib passes the same
make test
and is now FIPS compliant.[0] http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm