Project

Profile

Help

Story #8258

Task #7960: FIPS and support for ALLOWED_CONTENT_CHECKSUMS

As an installer user, I don't have special FIPS detection

Added by bmbouter 2 months ago. Updated about 1 month ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
Installer
Sprint/Milestone:
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Sprint 92
Quarter:

Description

Motivation

The installer's FIPS features are described here. This is problematic in a few ways.

  1. Pulp is on the hook to rebase the django-forked-and-patched everytime upstream Django puts out a CVE release. This puts Pulp on the critical path for CVE releases, which is not a good arrangement.
  2. Users are using bits in production that aren't available on PyPI. This is unusual
  3. The installer adjusts the value for ALLOWED_CONTENT_CHECKSUMS instead of letting pulpcore's default prevail. With 3.11 md5 and sha-1 are being removed, so the installer should no longer adjust this.

Solution

  • Remove the FIPS docs page.
  • Remove the installer codepaths related to FIPS
  • No longer install the branched checkout https://github.com/mdellweg/django/tree/fips and instead receive Django from PyPI as usual.
  • Provide some documented instructions for dev environments on the django and pulpcore patches they need to apply for dev environments (since the installer will no longer do this). (Consider putting into pulp_devel role, or depending on vars like pulp_source_dir.)

Associated revisions

Revision ae47f49e View on GitHub
Added by gerrod about 1 month ago

FIPS Django now manually patch when using pulp_devel

fixes: #8258

Revision ae47f49e View on GitHub
Added by gerrod about 1 month ago

FIPS Django now manually patch when using pulp_devel

fixes: #8258

History

#1 Updated by bmbouter about 2 months ago

  • Description updated (diff)

#2 Updated by bmbouter about 2 months ago

  • Tracker changed from Issue to Story
  • Category set to Installer
  • % Done set to 0
  • Severity deleted (2. Medium)
  • Triaged deleted (No)

#3 Updated by ggainey about 2 months ago

Suggestion from 19-FEB FIPS checkin: arrange to apply the pulpcore md5-is-useful-sometimes patch, only in the CI/test environment/role

#4 Updated by ggainey about 2 months ago

Suggestion: dev-role (only) delivers branched/patched django

#5 Updated by mdepaulo@redhat.com about 2 months ago

  • Description updated (diff)

#6 Updated by ipanova@redhat.com about 2 months ago

  • Sprint/Milestone set to 3.11.0

#7 Updated by daviddavis about 2 months ago

I think we could run these commands in the dev and test environments to patch django:

django_location=$(pip show django | grep Location | cut -d' ' -f2)
sed -i 's/hashlib.md5()/hashlib.md5(usedforsecurity=False)/' "$django_location/django/db/backends/utils.py"

#8 Updated by bmbouter about 2 months ago

daviddavis wrote:

I think we could run these commands in the dev and test environments to patch django:

django_location=$(pip show django | grep Location | cut -d' ' -f2)
sed -i 's/hashlib.md5()/hashlib.md5(usedforsecurity=False)/' "$django_location/django/db/backends/utils.py"

For a dev and test environment, I'm +1 to this.

#9 Updated by daviddavis about 2 months ago

The django fips fork lives at https://github.com/pulp/django/tree/fips. We should remove this repo as part of this work.

#10 Updated by gerrod about 2 months ago

  • Assignee set to gerrod

#11 Updated by ipanova@redhat.com about 1 month ago

  • Status changed from NEW to ASSIGNED
  • Sprint set to Sprint 91

#12 Updated by fao89 about 1 month ago

- name: Patch Django
  shell: >-
    django_location=$({{ pulp_install_dir }}/bin/pip show django | grep Location | cut -d' ' -f2)
    sed -i 's/hashlib.md5()/hashlib.md5(usedforsecurity=False)/' "$django_location/django/db/backends/utils.py"

#13 Updated by pulpbot about 1 month ago

  • Status changed from ASSIGNED to POST

#14 Updated by rchan about 1 month ago

  • Sprint changed from Sprint 91 to Sprint 92

#15 Updated by gerrod about 1 month ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100

#16 Updated by ipanova@redhat.com about 1 month ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Please register to edit this issue

Also available in: Atom PDF