Hi Dagood, Please can you tell me what FIPS's for? And why we can't use it outside Google.
On Thursday, July 4, 2024 at 1:45:37 AM UTC dagood wrote: > Hi Devin, > > The FIPS functionality in Go (which, to be clear, is not supported for use > outside of Google) is documented here: > go/src/crypto/internal/boring/README.md > at release-branch.go1.21 · golang/go (github.com) > <https://github.com/golang/go/blob/release-branch.go1.21/src/crypto/internal/boring/README.md>, > > and it's used by setting GOEXPERIMENT=boringcrypto. > > The GOEXPERIMENT=systemcrypto is a feature of the Microsoft fork of Go, > not official Go. > https://github.com/microsoft/go/blob/microsoft/main/eng/doc/fips/README.md is > actually hosted in the microsoft/go repository, where that fork is > maintained. I work on it, and I'm happy to help. (And, if you have any more > questions related to this fork in the future, feel free to file a GitHub > issue on microsoft/go directly.) > > The issue doesn't seem related to Grafana, but rather because *wire *was > built with the Microsoft fork of Go but without specifying a backend, but > with GOFIPS=1. *wire* isn't able to be compatible with FIPS without a > backend, but it sees that FIPS is requested, so it fails safe. It isn't > clear what the caller's intent is and failing is an opportunity to catch a > mistake. You should either: > > 1. not set GOFIPS=1 until after calling *wire* (if at all!) or > 2. build *wire* with GOEXPERIMENT=systemcrypto. > > I would default to (1). But if you are trying to make a FIPS compliant > package build process, (2) would be the step towards that. > > Whether or not you need GOFIPS=1 at all depends on the purpose of your > script/build process. > > > using GOFIPS=1 worked just fine on Go 1.20.5, however appears not to be > the case anymore. > > Yes, we only added this failsafe as of 1.21 of Microsoft Go. The first > bullet in the 1.21 changelog > <https://github.com/microsoft/go/blob/microsoft/main/eng/doc/fips/README.md#go-121-aug-2023> > has > some details. > > Hope that helps! > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/64e0eb63-0daa-4d5a-8fac-ad48dcb803dfn%40googlegroups.com.
