Make package FIPS compatible by marking blake2 hashing with usedforsecurity=False
#295
Conversation
This will allow make package FIPS compatible
Merging this PR will not alter performance
Comparing 
Footnotes
|
There was a problem hiding this comment.
Pull request overview
This PR makes the grimp package compatible with FIPS (Federal Information Processing Standards) mode by explicitly marking blake2b hash usage as non-security-related. The change allows grimp to work in FIPS-compliant environments where non-approved cryptographic algorithms are restricted for security purposes.
Changes:
- Added
usedforsecurity=Falseparameter to blake2b hash function call used for generating cache filenames - Updated CHANGELOG.rst to document the FIPS compatibility improvement
- Added contributor to AUTHORS.rst
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| src/grimp/adaptors/caching.py | Added usedforsecurity=False parameter to blake2b hash call to enable FIPS compatibility |
| CHANGELOG.rst | Added entry documenting FIPS compatibility improvement |
| AUTHORS.rst | Added new contributor Oleksandr Zaiats |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Thanks for this - today I learned about |
2 participants
latestsection at the top ofCHANGELOG.rst. (If it's not there, add it.)AUTHORS.rst.just full-check.Why this change?
In FIPS (Federal Information Processing Standards) compliant environments, Python's hashlib restricts the use of non-FIPS-approved algorithms like BLAKE2 when they might be used for security purposes. However, grimp only uses BLAKE2 to generate safe cache filenames—not for any cryptographic or security purpose.
By explicitly marking the hash with usedforsecurity=False, we tell Python that this hash is not being used for security, allowing grimp to work correctly in FIPS mode without triggering restrictions on non-approved algorithms.