Closed DueViktor closed 11 months ago
Hey! Thanks for reporting I'll see if this relevant for us 🤗
Great @ArthurZucker. The pull request have passed all tests already and are ready to merge. No behaviour is changed.
My guess is that pretty much all federal systems in the world would have this issue.
Federal Information Processing Standards (FIPS) 140-2 is a mandatory standard for the protection of sensitive or valuable data within Federal systems. - https://www.wolfssl.com/license/fips/
Hey @DueViktor! Coming back to you about this request. We've finally specified hashlib usage in huggingface_hub, transformers, datasets and diffusers. Everything's merged now so I'll close this issue. Thanks again for the heads up!
Hi @Wauplin! Thanks so much for the update and for addressing the hashlib usage across all those libraries. Appreciate your team's prompt action on this matter. Keep up the fantastic work!
Feature request
From python 3.9 hashlib introduced the
usedforsecurity
argument:transformers
use hashing in many cases where the purpose is indeed not for security purposes. This should be specifed in the code.Motivation
Transformers use MD5 from hashlib, which is not a secure algorithm, but are not specifying that it is for other purposes than security. This is causing issues for organisations following certain security standard. FIPS compliance could be an example.
Your contribution
I will attach a PR specifying the usage of hashlib algorithms. Since
usedforsecurity
is only specified from 3.9+ and transformers support 3.6+, I'll add a functionality to detect python version and change kwargs based on that.