Closed fitgeek closed 4 months ago
Hi,
thanks you for opening the issue. What is FIPS?
The real fix is to have the developers move away from the use of md5. Why is that? We are not using it for security. I'm happy to use an alternative if there is a good one that is not security-focused (Which I assume is computationally expensive).
Regards,
Maarten
Basically md5 is cracked and is disallowed for security reasons. But using md5 for hashing a database key is okay. passing the 'its okay' flag will allow md5 to be used.
A cut and paste :) The FIPS system-wide cryptographic policy helps to configure higher-level restrictions. Therefore, communication protocols supporting cryptographic agility do not announce ciphers that the system refuses when selected. For example, the ChaCha20 algorithm is not FIPS-approved, and the FIPS cryptographic policy ensures that TLS servers and clients do not announce the TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS cipher suite, because any attempt to use such a cipher fails.
On Wed, Nov 1, 2023 at 11:26 AM Maarten Breddels @.***> wrote:
Hi,
thanks you for opening the issue. What is FIPS?
The real fix is to have the developers move away from the use of md5. Why is that? We are not using it for security. I'm happy to use an alternative if there is a good one that is not security-focused (Which I assume is computationally expensive).
Regards,
Maarten
— Reply to this email directly, view it on GitHub https://github.com/widgetti/solara/issues/365#issuecomment-1789446821, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADLKVVMHJMDCLVTM5Q3VZDYCKH6BAVCNFSM6AAAAAA6ZUUZYKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTOOBZGQ2DMOBSGE . You are receiving this because you authored the thread.Message ID: @.***>
I didn't reply on an alternative, SHA-256 would be better but slower. Maybe SHA-2? or BLAKE2? Richard
On Wed, Nov 1, 2023 at 11:26 AM Maarten Breddels @.***> wrote:
Hi,
thanks you for opening the issue. What is FIPS?
The real fix is to have the developers move away from the use of md5. Why is that? We are not using it for security. I'm happy to use an alternative if there is a good one that is not security-focused (Which I assume is computationally expensive).
Regards,
Maarten
— Reply to this email directly, view it on GitHub https://github.com/widgetti/solara/issues/365#issuecomment-1789446821, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADLKVVMHJMDCLVTM5Q3VZDYCKH6BAVCNFSM6AAAAAA6ZUUZYKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTOOBZGQ2DMOBSGE . You are receiving this because you authored the thread.Message ID: @.***>
I've kept the md5 algo, but marked it as usedforsecurity=False
. I know you prefer a different algo, but for now, this is a good compromise and an improvement.
Do you know how we can avoid this in the future? I can't find an easy way to check this in CI.
Feel free to open if you disagree.
I agree with the fix, its not critical.
FIPS prevents the use of hashlib.md5 for security reasons. Adding usedforsecurity=False will allow the use of hashlib.md5. The real fix is to have the developers move away from the use of md5.
PATH: venv/lib64/python3.8/site-packages/solara/cache.py LINE: 62 for my version codehash = hashlib.md5(f.code.co_code, usedforsecurity=False).hexdigest()