Project

Profile

Help

Story #8258

closed

Task #7960: FIPS and support for ALLOWED_CONTENT_CHECKSUMS

As an installer user, I don't have special FIPS detection

Added by bmbouter almost 4 years ago. Updated over 3 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
Installer - Moved to GitHub issues
Sprint/Milestone:
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Sprint 92
Quarter:

Description

Motivation

The installer's FIPS features are described here. This is problematic in a few ways.

  1. Pulp is on the hook to rebase the django-forked-and-patched everytime upstream Django puts out a CVE release. This puts Pulp on the critical path for CVE releases, which is not a good arrangement.
  2. Users are using bits in production that aren't available on PyPI. This is unusual
  3. The installer adjusts the value for ALLOWED_CONTENT_CHECKSUMS instead of letting pulpcore's default prevail. With 3.11 md5 and sha-1 are being removed, so the installer should no longer adjust this.

Solution

  • Remove the FIPS docs page.
  • Remove the installer codepaths related to FIPS
  • No longer install the branched checkout https://github.com/mdellweg/django/tree/fips and instead receive Django from PyPI as usual.
  • Provide some documented instructions for dev environments on the django and pulpcore patches they need to apply for dev environments (since the installer will no longer do this). (Consider putting into pulp_devel role, or depending on vars like pulp_source_dir.)

Related issues

Related to Pulp - Issue #8834: Pulp_installer refuses to install in non-devel mode with FIPS enabledCLOSED - CURRENTRELEASEmdepaulo@redhat.comActions

Also available in: Atom PDF