Pulp

Background¶

Users need to install pulpcore in a FIPS compatible environments, therefore all dependencies need to be FIPS compatible. Django specifically we know is not FIPS compatible.

The Plan¶

Test pulpcore and it's dependencies in the CentOS 8 pulplift FIPS environment. Then for any dependencies that are not FIPS compatible, develop a patch and then contribute that patch in one of the following ways listed further down.

Developing the patch before contributing it¶

Use a fork of the dependency and apply your patch to a branch on top of the tag Pulp uses as it's dependency. So for example, for Django we use the latest 2.2 tag. So apply the patch onto a forked Django 2.2.16.

Adding these branches to the pulplift environment¶

We need the pulplift EL7 and EL8 environments to use these branches instead of the ones from PyPI. For example the CI job in pulp_installer for FIPS EL7 and EL8 fail due to Django not being patched.

Where to go with a patch once its finalized?¶

Two things should be done for each patch:

1. Contribute the patch to upstream. This will cause both PyPI and RPM packaged versions to be FIPS compatible.
2. Produce a .patch file to be included in anyone's RPM and store it in the pulp-packaging repo.