Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-40750

python3.9: Allow hash-based .pyc invalidation mode when in FIPS mode [rhel-9.5.0]

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • rhel-9.5
    • rhel-9.2.0.z, rhel-9.4.z, rhel-9.5
    • python3.9
    • None
    • python3.9-3.9.19-2.el9
    • None
    • Low
    • ZStream
    • sst_pt_python_ruby_nodejs
    • ssg_core_services
    • 5
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • Approved Blocker
    • None

      Python in FIPS mode disables hash-based .pyc invalidation mode due to using a non-FIPS approved digest, siphash13.

      For images or systems where the SOURCE_DATE_EPOCH variable is set automatically, Python will change the .pyc invalidation mode to hash-based, instead of the default time-based. As a result, if the system is then changed to FIPS mode or the images are deployed in FIPS environments, Python will fail with a traceback when trying to import the already generated .pyc files.

      However since siphash is used just for hashing and not in any security context, it is permissible to allow those .pyc files to be imported.

      We'll need to remove the part of the FIPS patch that disables the hash-based .pyc invalidation mode in FIPS mode.

            python-maint python-maint
            cstratak@redhat.com Charalampos Stratakis
            Charalampos Stratakis Charalampos Stratakis
            Lukas Zachar Lukas Zachar
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: