[Scons-users] [Non-DoD Source] Re: Feature Request: Add Support for detecting build changes via sha256

Mats Wichmann mats at wichmann.us
Wed Aug 15 13:26:28 EDT 2018


On 08/15/2018 09:26 AM, RUHGE, RYAN L CTR USAF AFMC AFLCMC/HBAW-OL wrote:
> Mats,
> 
> Sorry not sure what happened there I will try sending my message again.
> 
> In short, our system is configured to run in FIPS mode (Federal Information Processing Standard).  In this mode, md5 is not an allowed cryptographic algorithm and SCons will not work at all if we don't patch it (unless we change it to check timestamps instead).  Our current patch makes SCons only work in sha256 mode which I fully understand is not desirable.  Once we get a chance we will rework the patch to make it an option and move forward from there to work with you all.
> 
> Thanks again,
> Ryan

okay, so you have a policy issue that bans md5, which is *not* a
cryptographic hashing function at all, even in the case where it is not
used for any security purpose whatsoever but only as a hash to identify
file changes.  That's... misguided, but we don't get to argue with
governmental standards.  I'm guessing this is what applies (from Python
docs for hashlib):

"""
Constructors for hash algorithms that are always present in this module
are sha1(), sha224(), sha256(), sha384(), sha512(), blake2b(), and
blake2s(). md5() is normally available as well, though it may be missing
if you are using a rare “FIPS compliant” build of Python.
"""

So since Python itself acknowledges such a thing exists, I guess scons
should be able to operate in the presence of such a Python - that is,
fall back to some other method if md5 is missing. Note some of those are
only in new Pythons and would not be appropriate for scons yet.



More information about the Scons-users mailing list