Yuval-Moshe commented on PR #21014: URL: https://github.com/apache/superset/pull/21014#issuecomment-2529749912
Ok, thank you. Our water pump is not working either, also happened twice in the past couple of days (we called and notified it as well). Can the mechanic take a look and fix it tomorrow as well? We currently don't have running water and we just filled the water tank yesterday. On Tue, 10 Dec 2024, 11:37 Fred Hartman, ***@***.***> wrote: > Thanks for the details. > > @fred-hartman <https://github.com/fred-hartman> my recommendation going > forward is as follows: > > 1. We make FIPS compliance optional by introducing configurable > flags/hooks for calculating hashes that default to the current > implementation (MD5), but would support replacing those with a FIPS > compliant variant (SHA256). > 2. In a forthcoming major version we make a breaking change, where we > start defaulting to FIPS compliance being enabled, but support running in > non-compliant mode. Then all current deployments would need to explicitly > configure their deployments as non-FIPS compliant, ensuring they continue > working as expected, but new deployments would be FIPS compliant by default. > > That makes sense as a rollout plan. HITRUST certification next year will > be adopting many FEDRAMP requirements, including the requirement of running > in FIPS mode, so I expect demand will grow. > > This would require a SIP, as this is a pretty significant change. Also > note that I don't believe any of the core contributors are working on this, > so it would need to be a community driven effort. But I'm happy to help > push it forward if someone can drive the actual SIP and implementation work. > > SHA254 hashes are 64 chars and MD5 are 32. Do you know if MD5 values are > persisted in the DB? That would increase the scope of migration > significantly. A quick look at the DB tables don't show any VARCHAR(32) > columns, but a few with VARCHAR(50), which I haven't tracked to how they > are filled. > > I'll have to escalate internally to see if I can get a python resource to > be hands on this or if we look for an outside contractor to craft a PR. > > — > Reply to this email directly, view it on GitHub > <https://github.com/apache/superset/pull/21014#issuecomment-2529683581>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AMZXEBVL2O4FOYOYTWZWEJD2EYLTNAVCNFSM6AAAAABPWCRADOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMRZGY4DGNJYGE> > . > You are receiving this because you commented.Message ID: > ***@***.***> > -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
