[Distutils] Proposal: drop md5 for sha256
PJ Eby
pje at telecommunity.com
Wed Jul 4 02:50:07 CEST 2012
On Tue, Jul 3, 2012 at 7:33 PM, Jennings, Jared L CTR USAF AFMC 46 SK/CCI <
jared.jennings.ctr at eglin.af.mil> wrote:
> On hosts configured for compliance with U.S. Federal Information
> Processing Standard (FIPS) 140-2
> <http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf>, like
> those in some banks and, yes, the U.S. Department of Defense,
> cryptographic modules (such as OpenSSL, which underlies hashlib) are not
> allowed to calculate MD5 digests, because MD5 is no longer a FIPS
> Approved digest algorithm.
>
So if it's not a cryptographic module, it's okay? ;-)
I know no one is trying here to lean on MD5 for security, but the
> standard says nothing about the reason why you're using MD5: just that
> you can't.
>
> No one expects a digest algorithm to fail, and Python 2.x may not have
> been fixed to check for that before being frozen
> <https://bugzilla.redhat.com/show_bug.cgi?id=746118#c3>, so if you run
> an MD5 checksum on a FIPS-compliant system with an unpatched Python 2.x,
> the Python interpreter will segfault. (Ruby, too, had this problem and
> was itself only recently fixed,
> <http://bugs.ruby-lang.org/issues/4944>.)
>
> I have to configure hosts in accordance with FIPS 140-2, so the more
> places I can get rid of MD5, the less headaches I have.
>
If we replace it with something else, then I suggest we replace it with
something that's even MORE braindead than md5 so that nobody will mistake
it for a secure hash. Otherwise, we will have this exact same problem all
over again when the replacement "secure" hash is disabled by a newer
version of FIPS.
The other option is simply to forego a checksum altogether and assume same
size = same file. Honestly, I don't remember why we cared about detecting
such modifications in the first place: neither PEP 376 nor 262 explain why,
and 376 doesn't explain why it went with md5 instead of sha1 (as in PEP
262).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20120703/d204dbb8/attachment.html>
More information about the Distutils-SIG
mailing list