Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use sha1, instead of md5 #191

Merged
merged 2 commits into from
Feb 29, 2024
Merged

Use sha1, instead of md5 #191

merged 2 commits into from
Feb 29, 2024

Conversation

szubster
Copy link
Contributor

This allows prebuild-install to be used on fips systems

This allows prebuild-install to be used on fips systems
@pasieronen
Copy link

Just ran into the same issue this week - your fix looks good to me!

@karolkalinski
Copy link

I have had the same issue when working with sharp-js library. Is there a chnace that this PR would be approved? cc: @vweevers

@krethh
Copy link

krethh commented Feb 19, 2024

@lovell Any chance we could get this merged? I'm also running into the same issue. FIPS-compliant systems ban the use of MD5 altogether so any libraries which have prebuild-install as a dependency will not build.

@lovell lovell added the semver-major Changes that break backward compatibility label Feb 19, 2024
@lovell
Copy link
Member

lovell commented Feb 19, 2024

For those using sharp please upgrade as the latest version no longer depends on prebuild-install.

util.js Outdated Show resolved Hide resolved
@@ -74,7 +74,7 @@ function trimSlashes (str) {
}

function cachedPrebuild (url) {
const digest = crypto.createHash('md5').update(url).digest('hex').slice(0, 6)
const digest = crypto.createHash('sha512').update(url).digest('hex').slice(0, 6)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the reason for not using an MD5 hash under the rules of FIPS is its predictability and therefore increased chance of collision then the subsequent use of slice(0, 6) negates hash choice anyway. 😅

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, it doesn't much matter in the end. This code will not be running as part of the system, only during build.
At the same time, node unfortunately, does not have an equivalent of usedforsecurity parameter from python's hashlib

@lovell lovell added semver-patch Bug fixes that are backward compatible and removed semver-major Changes that break backward compatibility labels Feb 20, 2024
@lovell
Copy link
Member

lovell commented Feb 20, 2024

I originally tagged this as semver-major but given cache filesystem layout isn't really part of the external API we can probably release this under semver-patch and reduce ecosystem upgrade churn. I'm going to leave this PR for a few days in case other maintainers have thoughts around this.

@szubster
Copy link
Contributor Author

Ready to merge? :)

@lovell lovell merged commit 9140468 into prebuild:master Feb 29, 2024
13 checks passed
@lovell
Copy link
Member

lovell commented Feb 29, 2024

7.1.2 now available

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
semver-patch Bug fixes that are backward compatible
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants