Story #8258
closedTask #7960: FIPS and support for ALLOWED_CONTENT_CHECKSUMS
As an installer user, I don't have special FIPS detection
100%
Description
Motivation¶
The installer's FIPS features are described here. This is problematic in a few ways.
- Pulp is on the hook to rebase the django-forked-and-patched everytime upstream Django puts out a CVE release. This puts Pulp on the critical path for CVE releases, which is not a good arrangement.
- Users are using bits in production that aren't available on PyPI. This is unusual
- The installer adjusts the value for
ALLOWED_CONTENT_CHECKSUMS
instead of letting pulpcore's default prevail. With 3.11 md5 and sha-1 are being removed, so the installer should no longer adjust this.
Solution¶
- Remove the FIPS docs page.
- Remove the installer codepaths related to FIPS
- No longer install the branched checkout https://github.com/mdellweg/django/tree/fips and instead receive Django from PyPI as usual.
- Provide some documented instructions for dev environments on the django and pulpcore patches they need to apply for dev environments (since the installer will no longer do this). (Consider putting into pulp_devel role, or depending on vars like pulp_source_dir.)
Related issues
Updated by bmbouter over 3 years ago
- Tracker changed from Issue to Story
- Category set to Installer - Moved to GitHub issues
- % Done set to 0
- Severity deleted (
2. Medium) - Triaged deleted (
No)
Updated by ggainey over 3 years ago
Suggestion from 19-FEB FIPS checkin: arrange to apply the pulpcore md5-is-useful-sometimes patch, only in the CI/test environment/role
Updated by ggainey over 3 years ago
Suggestion: dev-role (only) delivers branched/patched django
Updated by daviddavis over 3 years ago
I think we could run these commands in the dev and test environments to patch django:
django_location=$(pip show django | grep Location | cut -d' ' -f2)
sed -i 's/hashlib.md5()/hashlib.md5(usedforsecurity=False)/' "$django_location/django/db/backends/utils.py"
Updated by bmbouter over 3 years ago
daviddavis wrote:
I think we could run these commands in the dev and test environments to patch django:
django_location=$(pip show django | grep Location | cut -d' ' -f2) sed -i 's/hashlib.md5()/hashlib.md5(usedforsecurity=False)/' "$django_location/django/db/backends/utils.py"
For a dev and test environment, I'm +1 to this.
Updated by daviddavis over 3 years ago
The django fips fork lives at https://github.com/pulp/django/tree/fips. We should remove this repo as part of this work.
Updated by ipanova@redhat.com over 3 years ago
- Status changed from NEW to ASSIGNED
- Sprint set to Sprint 91
Updated by fao89 over 3 years ago
- name: Patch Django
shell: >-
django_location=$({{ pulp_install_dir }}/bin/pip show django | grep Location | cut -d' ' -f2)
sed -i 's/hashlib.md5()/hashlib.md5(usedforsecurity=False)/' "$django_location/django/db/backends/utils.py"
Updated by pulpbot over 3 years ago
- Status changed from ASSIGNED to POST
Added by gerrod over 3 years ago
Added by gerrod over 3 years ago
Revision ae47f49e | View on GitHub
FIPS Django now manually patch when using pulp_devel
fixes: #8258
Updated by gerrod over 3 years ago
- Status changed from POST to MODIFIED
- % Done changed from 0 to 100
Applied in changeset ansible-pulp|ae47f49ef9b79cd79851d0caa245559ceabbc7ce.
Updated by ipanova@redhat.com over 3 years ago
- Status changed from MODIFIED to CLOSED - CURRENTRELEASE
Updated by mdepaulo@redhat.com over 3 years ago
- Related to Issue #8834: Pulp_installer refuses to install in non-devel mode with FIPS enabled added
FIPS Django now manually patch when using pulp_devel
fixes: #8258