New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider removing or making MD5 optional #1384
Comments
Seems we could pretty easily switch all of those to be sha256 or some other equivalent hash, it currently gets written into the for instance: $ cat /home/asottile/workspace/tox/.tox/pypy3/.tox-config1
7c85d37487b1dd9996ce400baa8b50da /home/asottile/bin/pypy3
3.13.2 0 0 0
00000000000000000000000000000000 pip == 19.1.1 (another note: looks like the "package" digest isn't used at all -- always |
@asottile I'm actually reworking this inside the rewrite, so that should solve it, but in the meantime, we can solve it here too 👍 |
CCing @hroncok |
I took a stab in #1385 |
Thanks a lot guys, you rock! |
@simo5 Do you need a Fedora backport? |
@hroncok it would be nice but not urgent, RHEL would be nice too. |
In that case, it will be shipped with next update.
I'm afraid I don't know anything about tox in RHEL, you would probably need to open a bugzilla. |
@vstinner might be able to point you in the right direction 😃 |
(Sorry to spam the tox bug tracker!)
As Miro wrote, for Fedora and/or RHEL, it's better to open a request at https://bugzilla.redhat.com/ |
Hello,
recently I have been investigating an issue running some tests with Tox on a system configured in FIPS mode.
The tests failed immediately because Tox seem to be using MD5 which is a forbidden hash in FIPS mode as it is considered truly broken.
Given tox already has support for generating a SHA-256 Hash, I was wondering if you could consider either removing the use of MD5 completely or simply making it optional.
That would make it possible to run tests for components like python-cryptography in FIPS mode which is currently blocked on tox and would be really useful in many settings where use of FIPS mode is mandatory in general.
I've found 2 usages of md5 in tox:
tox/src/tox/_pytestplugin.py
Line 506 in 1908b19
This seems selfcontained and possibly replacable by:
tox/src/tox/logs/env.py
Line 39 in a8b34cc
Here the md5 hash is computed togteher with sha256 and maybe it can be omitted entirely or made optional (if MD5 initialization raises an exception, you skip it).
Would you accept a pull request?
The text was updated successfully, but these errors were encountered: