Consider removing or making MD5 optional

[simo5]

Hello,
recently I have been investigating an issue running some tests with Tox on a system configured in FIPS mode.
The tests failed immediately because Tox seem to be using MD5 which is a forbidden hash in FIPS mode as it is considered truly broken.

Given tox already has support for generating a SHA-256 Hash, I was wondering if you could consider either removing the use of MD5 completely or simply making it optional.

That would make it possible to run tests for components like python-cryptography in FIPS mode which is currently blocked on tox and would be really useful in many settings where use of FIPS mode is mandatory in general.

I've found 2 usages of md5 in tox:

---

tox/src/tox/_pytestplugin.py

Line 506 in 1908b19

base_resolved_python_md5=getdigest(sys.executable),

This seems selfcontained and possibly replacable by:

base_resolved_python_sha256=getdigest(sys.executable, hashtype="sha256")

---

tox/src/tox/logs/env.py

Line 39 in a8b34cc

"md5": installpkg.computehash("md5"),

Here the md5 hash is computed togteher with sha256 and maybe it can be omitted entirely or made optional (if MD5 initialization raises an exception, you skip it).

---

Would you accept a pull request?

[asottile]

Seems we could pretty easily switch all of those to be sha256 or some other equivalent hash, it currently gets written into the .tox-config1 marker file in the created environment

for instance:

$ cat /home/asottile/workspace/tox/.tox/pypy3/.tox-config1 
7c85d37487b1dd9996ce400baa8b50da /home/asottile/bin/pypy3
3.13.2 0 0 0
00000000000000000000000000000000 pip == 19.1.1

(another note: looks like the "package" digest isn't used at all -- always 00000...)

[gaborbernat]

@asottile I'm actually reworking this inside the rewrite, so that should solve it, but in the meantime, we can solve it here too 👍

[simo5]

CCing @hroncok

[asottile]

I took a stab in #1385

[simo5]

Thanks a lot guys, you rock!

[hroncok]

@simo5 Do you need a Fedora backport?

[simo5]

@hroncok it would be nice but not urgent, RHEL would be nice too.

[hroncok]

@hroncok it would be nice but not urgent

In that case, it will be shipped with next update.

RHEL would be nice too.

I'm afraid I don't know anything about tox in RHEL, you would probably need to open a bugzilla.

[gaborbernat]

@vstinner might be able to point you in the right direction 😃

[vstinner]

(Sorry to spam the tox bug tracker!)

I'm afraid I don't know anything about tox in RHEL, you would probably need to open a bugzilla.

As Miro wrote, for Fedora and/or RHEL, it's better to open a request at https://bugzilla.redhat.com/

Red Hat Bugzilla Main Page