Tox: Consider removing or making MD5 optional

Created on 30 Jul 2019 · 10Comments · Source: tox-dev/tox

Hello,
recently I have been investigating an issue running some tests with Tox on a system configured in FIPS mode.
The tests failed immediately because Tox seem to be using MD5 which is a forbidden hash in FIPS mode as it is considered truly broken.

Given tox already has support for generating a SHA-256 Hash, I was wondering if you could consider either removing the use of MD5 completely or simply making it optional.

That would make it possible to run tests for components like python-cryptography in FIPS mode which is currently blocked on tox and would be really useful in many settings where use of FIPS mode is mandatory in general.

I've found 2 usages of md5 in tox:

https://github.com/tox-dev/tox/blob/1908b198be5fd6e92143a78b43caf636965bbc6e/src/tox/_pytestplugin.py#L506

This seems selfcontained and possibly replacable by:

base_resolved_python_sha256=getdigest(sys.executable, hashtype="sha256")

https://github.com/tox-dev/tox/blob/a8b34cc5690cef34fa91ca0f1950a1fdde0f8b72/src/tox/logs/env.py#L39

Here the md5 hash is computed togteher with sha256 and maybe it can be omitted entirely or made optional (if MD5 initialization raises an exception, you skip it).

Would you accept a pull request?

new pr-merged

Source

simo5

👍4

All 10 comments

Seems we could pretty easily switch all of those to be sha256 or some other equivalent hash, it currently gets written into the .tox-config1 marker file in the created environment

for instance:

$ cat /home/asottile/workspace/tox/.tox/pypy3/.tox-config1 
7c85d37487b1dd9996ce400baa8b50da /home/asottile/bin/pypy3
3.13.2 0 0 0
00000000000000000000000000000000 pip == 19.1.1

(another note: looks like the "package" digest isn't used at all -- always 00000...)