absurdfarce commented on PR #1288: URL: https://github.com/apache/cassandra-python-driver/pull/1288#issuecomment-4385142980
I mean, we can... kind of do that, you're right @bschoening. But it's worth mentioning that the `usedforsecurity` flag was explicitly added to handle the FIPS case (there's quite a bit on that in the [CPython ticket](https://bugs.python.org/issue9216) referenced above). And I'm not aware of any other use case which causes MD5 to outright _not be available_ in hashlib; this only becomes an issue when the backing OpenSSL impl which handles hashlib ops now doesn't support MD5 and the only plausible case for that is a FIPS-aware OpenSSL build. So I agree that we can probably _logically_ decouple `usedforsecurity` support from FIPS support... but that feels like a _very_ thin slicing of functionality to me. I guess I have less of a problem with ringfencing the MD5 impl into MD5Token... that seems like a pretty safe step to me. But this also gets to a problem I have with the original report (and maybe @lratc can shed some light here). Is the problem actually in the _import_ of MD5 from hashlib or in the call to md5() later in the code? Without clarity on exactly that point it's hard for me to measure which solution makes the most sense here. I've spent a fair portion of today trying to get a FIPS-aware environment up and running via Docker so that I can try to recreate what's going on and see where things actually fail. That's proven significantly harder than I expected (as this kind of thing always does) but I'm planning on resuming that effort more soon. Hopefully if I can get a locally reproducible case I can at least better understand the context of the problem. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
