fred-hartman commented on PR #21014: URL: https://github.com/apache/superset/pull/21014#issuecomment-2529683581
Thanks for the details. > @fred-hartman my recommendation going forward is as follows: > > 1. We make FIPS compliance optional by introducing configurable flags/hooks for calculating hashes that default to the current implementation (MD5), but would support replacing those with a FIPS compliant variant (SHA256). > 2. In a forthcoming major version we make a breaking change, where we start defaulting to FIPS compliance being enabled, but support running in non-compliant mode. Then all current deployments would need to explicitly configure their deployments as non-FIPS compliant, ensuring they continue working as expected, but new deployments would be FIPS compliant by default. > That makes sense as a rollout plan. HITRUST certification next year will be adopting many FEDRAMP requirements, including the requirement of running in FIPS mode, so I expect demand will grow. > This would require a SIP, as this is a pretty significant change. Also note that I don't believe any of the core contributors are working on this, so it would need to be a community driven effort. But I'm happy to help push it forward if someone can drive the actual SIP and implementation work. SHA254 hashes are 64 chars and MD5 are 32. Do you know if MD5 values are persisted in the DB? That would increase the scope of migration significantly. A quick look at the DB tables don't show any VARCHAR(32) columns, but a few with VARCHAR(50), which I haven't tracked to how they are filled. I'll have to escalate internally to see if I can get a python resource to be hands on this or if we look for an outside contractor to craft a PR. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For additional commands, e-mail: notifications-h...@superset.apache.org
