Relax FIPS constraints on PyPi packages (!107773) · Merge requests · GitLab.org / GitLab

Stan Hu requested to merge sh-relax-pypi-fips into master Dec 24, 2022

What does this MR do and why?

Previously on a FIPS system if a PyPi package were uploaded that included md5_digest, the upload would fail with a 422 Unprocessible Entity error due to !87180 (merged). This commit relaxes the constraint and only fails if sha256_digest is not present.

Even on a FIPS system, running a Docker image such as python:latest doesn't ship with a FIPS-enabled OpenSSL. The change in https://github.com/pypa/twine/issues/776 doesn't omit md5_digest as a result.

Relates to #385477 (closed)

How to set up and validate locally

Use a FIPS-enabled kernel (https://docs.gitlab.com/ee/development/fips_compliance.html#setting-up-a-fips-enabled-development-environment).
Install a standard GitLab EE installation.
Clone https://gitlab.com/gitlab-com/support/toolbox/gitlab-smoke-tests/.
Run a pipeline in the repository.
Manually play pypi-repository job.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Dec 24, 2022 by Stan Hu

Relax FIPS constraints on PyPi packages

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports