pdm icon indicating copy to clipboard operation
pdm copied to clipboard
verified publisher icon pdm-project

fix: Work on FIPS 140-2 Enabled Systems

Open linville opened this issue 3 years ago • 0 comments

Pull Request Check List

  • [x] A news fragment is added in news/ describing what is new.
  • [ ] Test cases added for changed code.

Describe what you have changed in this PR.

This PR fixes pdm to work on FIPS 140-2 enabled systems using Python 3.9+.

The change adds the usedforsecurity=False kwarg to the usage of hashlib.md5(..) in cli/commands/venv/utils.py. This does not appear to look like security related code (but someone else more familiar with this area should probably chime-in on this).

The usedforsecurity kwarg was added in Python 3.9, to maintain compatibility with Python 3.7 this uses hashlib.new generic constructor. Note: pdm will continue to fail using Python 3.7 and 3.8 on FIPS 140-2 enabled systems (swapping out for another hash supported by older Pythons like sha256 will likely work, but I'm unsure all what expects the existing hash to be what it is).

Background / FIPS Restrictions

On FIPS 140-2 enabled systems, running a command like pdm build will lead to an error:

$ pdm build 
Building sdist... 
See /tmp/pdm-build-rp3wfnc5.log for detailed debug log. 
[ValueError]:  disabled for FIPS 
Add '-v' to see the detailed traceback

linville avatar Aug 10 '22 00:08 linville