Skip to content

Relax FIPS constraints on PyPi packages

Stan Hu requested to merge sh-relax-pypi-fips into master

What does this MR do and why?

Previously on a FIPS system if a PyPi package were uploaded that included md5_digest, the upload would fail with a 422 Unprocessible Entity error due to !87180 (merged). This commit relaxes the constraint and only fails if sha256_digest is not present.

Even on a FIPS system, running a Docker image such as python:latest doesn't ship with a FIPS-enabled OpenSSL. The change in https://github.com/pypa/twine/issues/776 doesn't omit md5_digest as a result.

Relates to #385477 (closed)

How to set up and validate locally

  1. Use a FIPS-enabled kernel (https://docs.gitlab.com/ee/development/fips_compliance.html#setting-up-a-fips-enabled-development-environment).
  2. Install a standard GitLab EE installation.
  3. Clone https://gitlab.com/gitlab-com/support/toolbox/gitlab-smoke-tests/.
  4. Run a pipeline in the repository.
  5. Manually play pypi-repository job.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Stan Hu

Merge request reports

Loading