bschoening commented on PR #1288: URL: https://github.com/apache/cassandra-python-driver/pull/1288#issuecomment-4365199570
I agree that full FIPS 140 compliance would be a broader conversation if we had reason to tackle that. However, I believe we can make meaningful incremental improvements here without overcomplicating the driver's architecture. Specifically, adopting _usedforsecurity=False_ is simply good practice for modern Python. Since this was introduced in Python 3.9, it serves as explicit documentation that our use of MD5 isn't for cryptographic security. This is particularly helpful for users running automated compliance scanners; it allows those tools to recognize the usage as a non-issue rather than flagging it as a vulnerability. Regarding the placement of the import: since the RandomPartitioner is rarely used in modern deployments, we could further "ringfence" the dependency by moving the MD5 import directly into the MD5Token class. This keeps the impact localized and ensures that the majority of users—who aren't using this partitioner—never even touch that logic. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
