[WIP] Provide alternatives to md5 signatures #3447
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
One larger note.. the function names should be changed from MD5 to Hash or SConsHash or something like that? |
|
Sure, a more considered rework could do that. |
|
So if you build with no md5 and then rebuild with, it's going to rebuild everything right? |
|
Should we store the hash type with the hash in the sconsign? "md5:",etc.. ? |
mwichmann
force-pushed
the
wip-md5less
branch
from
7e41d3a to
4fe3c4b
Compare
|
Pushed a rebase of this to get a fresh build - I had previously updated the tests to get the new guid strings, but must have lost that set of changes when I pulled patches into this branch. I'll fix that up, as well as the problem in the sconsign tests. |
mwichmann
added a commit
to mwichmann/scons
that referenced
this pull request
Jan 10, 2020
Different expected guid in MSVS tests Initialize SCons.Util.md5 to a string as expected for sconsign tests One sider complaint; ignoring the one about star imports as UtilTests.py use 30+ symbols from SCons.Util. Signed-off-by: Mats Wichmann <[email protected]>
Work in progress (see TODO) Broadly, two changes (1) in the Visual Studio area, use uuid (Python standard library) to generate GUID identifiers instead of specifically using md5. Simplifies things as uuid lib can provide already formatted strings and that does not have to be done in place. TODO: some of the wired-in GUIDs in tests need to change to what is being produced now. (2) For use by file hashes, fall back to sha1 if md5 is not available (rare, but documented in Python documentation as being possible in a "FIPS Compliant" build of Python, and actually encountered by an scons user); while considering hashslib itself always present. Like uuid, this is Python standard library since well before the oldest supported Python version (both added in 2.5). Util.py now describes the hash being used in Util.md5, this is used to distinguish expected values in tests. Except for tests, nobody should need to look inside: Util.md5 will still evaluate True. Security comment: the hashes are not used for any security purpose whatsoever, only for file-change detection, which in turn is used only for rebuild calculations, not for tampering detection. Thus the alternative is sha1, which also is "not secure", but which is as fast (in recent Py3 apparently even faster) as md5 hash computation. An additional fallback, should anyone develop problems with sha1 is sha256. Signed-off-by: Mats Wichmann <[email protected]>
Different expected guid in MSVS tests Initialize SCons.Util.md5 to a string as expected for sconsign tests One sider complaint; ignoring the one about star imports as UtilTests.py use 30+ symbols from SCons.Util. Signed-off-by: Mats Wichmann <[email protected]>
New way of generating gives different values, so update "expected" values Signed-off-by: Mats Wichmann <[email protected]>
mwichmann
force-pushed
the
wip-md5less
branch
from
de5f383 to
28dacb5
Compare
mwichmann
added a commit
to mwichmann/scons
that referenced
this pull request
May 1, 2020
In the Visual Studio area, use uuid (Python standard library) to generate GUID identifiers instead of specifically using md5. Simplifies things as uuid lib can provide already formatted strings of the form that we need. This is split off from PR SCons#3447 by request. Signed-off-by: Mats Wichmann <[email protected]>
3 tasks
|
Withdrawing, the intent of these changes has been incorporated through two other merged PRs. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Work in progress (see TODO)
Broadly, two changes
Security comment: the hashes are not used for any security purpose whatsoever, only for file-change detection, which in turn is used only for rebuild calculations, not for tampering detection. Thus the alternative is sha1, which also is "not secure", but which is as fast (in recent Py3 apparently even faster) as md5 hash computation. An additional fallback, should anyone develop problems with sha1 is sha256.
Signed-off-by: Mats Wichmann [email protected]
Contributor Checklist:
master/src/CHANGES.txtdirectory (and read theREADME.txtin that directory)