[jira] [Commented] (FLINK-35626) Add support for FIPS

Tue, 18 Jun 2024 00:37:47 -0700 


    [ 
https://issues.apache.org/jira/browse/FLINK-35626?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17855815#comment-17855815
 ] 

Martijn Visser commented on FLINK-35626:
----------------------------------------

Realistically I don't think that we will do this, unless there are multiple 
maintainers who are willing to take this one. But looking at various other 
security/compliance topics (not always using the latest versions of 
dependencies, no RBAC etc), I don't think this is something that will happen. 

> Add support for FIPS
> --------------------
>
>                 Key: FLINK-35626
>                 URL: https://issues.apache.org/jira/browse/FLINK-35626
>             Project: Flink
>          Issue Type: New Feature
>            Reporter: Mark
>            Priority: Minor
>
> In order to be able to use Apache Flink in certain environments with strict 
> compliance requirements, the application may need to be compliant with 
> FIPS-140-2.
> The path to produce a FIPS complaint image can vary, depending on the 
> programming language and application itself. For Java, this may involve:
>  * For any bundled crypto, utilising FIPS versions, i.e the FIPS version of 
> BouncyCastle (bcfips). Alternatively, ensuring there is no bundled crypto, 
> and all operations fallback to the JRE / OpenSSL on the host
>  * Where keystores are required, support for creating bckfs keystore types
>  * Producing a base image with OpenSSL configured for FIPS, as well as a JRE 
> configured for FIPS (such as bcfips)
>  * No use of unapproved crypto algorithms, such as DES, MD5, SHA1 etc
> It would be great if Flink was able to support FIPS - by that, I mean 
> ensuring all requirements are met, and some documentation outlining how this 
> is met and enforced.
> From a quick scan of the codebase, I don't see any direct references to 
> bouncycastle (either non-fips or fips), but I do see several places where md5 
> and sha1 are used for example.
> Support for FIPS would increase the use-cases for deploying Flink in secure 
> environments. Thanks for taking this into consideration.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to