FIPS compliance during publish #8311
Conversation
As md5 is only used to get additional hash alongside with sha256, a passing of usedforsecurity=False is required. This option was introduced in Python 3.9 so we need to make sure we check whether that version is present
|
you forgot to import sys but: this 100% is used for security, surely? the whole point of the hash is so that downloaders can later verify that the downloaded package is the same as the one that was uploaded. agree that this is not actually secure - which is why sha256 is preferred - but compare what twine did - pypa/twine#367 - which is simply not provide the md5 hash when compiled in FIPS mode |
|
This would be nice to have |
|
@jeeftor per previous comment, this merge request is quite wrong - and I see no sign that the author intends to fix it. If you care about this then recommend making a new merge request yourself. |
|
I was hoping my comment would enhance them to make progress. I just turned off FIPS mode last night and poetry was moving along well enough ... :( |
|
Superseded by #9101 |
|
This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
As md5 is only used to get additional hash alongside with sha256, a passing of usedforsecurity=False is required. This option was introduced in Python 3.9 so we need to make sure we check whether that version is present
Pull Request Check List
Resolves: #8310