Disable Debian when FIPS mode is enabled (!90548) · Merge requests · GitLab.org / GitLab

Steve Abrams requested to merge 361261-debian-fips into master Jun 17, 2022

What does this MR do and why?

To be FIPS compliant, GitLab cannot make use of MD5 values. The Debian package registry uses MD5 files extensively in a variety of locations.

This MR disables the Debian registry when FIPS is enabled:

All API endpoints return 404 Not Found
Internal services and workers throw a new error. This should never happen since these services and workers are triggered by the API endpoints, but they are added as a safety measure.

There is potential for the Debian registry to be enabled during FIPS mode, but it requires more extensive changes and testing. Given the due date to achieve FIPS compliance (15.2) and the fact that the entire Debian registry feature is behind a feature flag and not yet released, it made sense to simply disable the feature for now so we can spend more time on a version that is enabled in FIPS mode later or when the feature is released.

Screenshots or screen recordings

N/A

How to set up and validate locally

N/A - It is not easy to test with a FIPS environment locally

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Related to #361261 (closed)

Edited Jul 05, 2022 by Steve Abrams

Disable Debian when FIPS mode is enabled

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports