Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-40779

python3.11: Allow hash-based .pyc invalidation mode when in FIPS mode[rhel-9.5]

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • rhel-9.5
    • rhel-8.8.0.z, rhel-8.10.z, rhel-9.2.0.z, rhel-9.4.z, rhel-9.5
    • python3.11
    • None
    • python3.11-3.11.9-2.el9
    • None
    • Low
    • ZStream
    • rhel-sst-pt-python-ruby-nodejs
    • ssg_core_services
    • None

      Python in FIPS mode disables hash-based .pyc invalidation mode due to using a non-FIPS approved digest, siphash13.

      For images or systems where the SOURCE_DATE_EPOCH variable is set automatically, Python will change the .pyc invalidation mode to hash-based, instead of the default time-based. As a result, if the system is then changed to FIPS mode or the images are deployed in FIPS environments, Python will fail with a traceback when trying to import the already generated .pyc files.

      However since siphash is used just for hashing and not in any security context, it is permissible to allow those .pyc files to be imported.

      We'll need to remove the part of the FIPS patch that disables the hash-based .pyc invalidation mode in FIPS mode.

              python-maint python-maint
              cstratak@redhat.com Charalampos Stratakis
              Charalampos Stratakis Charalampos Stratakis
              Lukas Zachar Lukas Zachar
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: