whisperity
commented
3 months ago The biggest issue I think is figuring out where hashes are stored and deciding whether existing hashes should be transitioned or we can accept duplicates.
There is a (likely outdated) pull request for the changing of md5() calls, but the signature it uses is only available since Py 3.9 and I'm not sure whether it's possible for us to set that as the lowest requirement just yet.
GunMetalBull305
CodeChecker uses hashlib md5() in several areas. This causes problems on FIPS enabled systems, since MD5 is not supported in that mode.
The hashlib md5() signature was updated to include a workaround in Python 3.9. Implementing this workaround in CodeChecker should allow it to function on FIPS systems.
If changing how md5() is called is not feasible, then it may also be possible to use sha256(), which is FIPS compliant.
We are using CodeChecker for our CD/CI, which is transitioning to a FIPS platform. This will become a blocker for that process.
Update: Simply replacing 'md5' with 'sha256' seems to work, but I don't know if there are any unintended side effects.