Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set MD5 usedforsecurity=False for Python versions which support it #7620

Merged
merged 4 commits into from
Nov 22, 2022
Merged

Set MD5 usedforsecurity=False for Python versions which support it #7620

merged 4 commits into from
Nov 22, 2022

Conversation

szelenka
Copy link
Contributor

@szelenka szelenka commented Nov 22, 2022
edited
Loading

To allow Prefect to run in FIPS 140-2 environments, it cannot use the md5 algorithm. For Python 3.9+ it's possible to add an extra parameter to the md5 call, this change adds that extra parameter to allow it to function in FIPS environments

closes #7615

Example

Adds partial for md5 to include usedforsecurity=False

Checklist

  • This pull request references any related issue by including "closes <link to issue>"
    • If no issue exists and your change is not a small fix, please create an issue first.
  • This pull request includes tests or only affects documentation.
  • This pull request includes a label categorizing the change e.g. fix, feature, enhancement

@netlify
Copy link

netlify bot commented Nov 22, 2022
edited
Loading

Deploy Preview for prefect-orion ready!

Built without sensitive environment variables

Name Link
🔨 Latest commit 13c307b
🔍 Latest deploy log https://app.netlify.com/sites/prefect-orion/deploys/637d178e1a985f0009f885fb
😎 Deploy Preview https://deploy-preview-7620--prefect-orion.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

@zanieb
Copy link
Contributor

zanieb commented Nov 22, 2022

Hi! Thanks for contributing, this is a little tricky as this is a breaking change. These hashes have meaning for existing users. Perhaps we can expose this as a setting?

@szelenka
Copy link
Contributor Author

@madkinsz would it be okay to copy the Dask approach? This would still use the md5 algorithm, but simply add the usedforsecurity=False parameter .. AFAIK, these don't appear to be used for security. Can you confirm?

@zanieb
Copy link
Contributor

zanieb commented Nov 22, 2022

That seems reasonable! These are definitely not used for security.

@szelenka szelenka changed the title Changing default hash_algo to sha512 instead of md5 Set MD5 usedforsecurity=False for Python versions which support it Nov 22, 2022
@szelenka szelenka marked this pull request as ready for review November 22, 2022 18:40
@szelenka szelenka requested a review from zanieb as a code owner November 22, 2022 18:40
@zanieb zanieb merged commit b105dbb into PrefectHQ:main Nov 22, 2022
@szelenka szelenka deleted the feature/7615/disable-md5 branch January 31, 2023 18:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zanieb zanieb zanieb approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

MD5 not supported without usedforsecurity=False in FIPS 140-2 environment
3 participants
@szelenka @zanieb @szelenka-cisco