Message 155741 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	pitrou
Recipients	dmalcolm, gregory.p.smith, pitrou
Date	2012-03-14.10:23:47
SpamBayes Score	2.4539926e-09
Marked as misclassified	No
Message-id	<1331720628.21.0.910283648448.issue9216@psf.upfronthosting.co.za>
In-reply-to

Content
Patch 0002: - cached_info->error_msg doesn't seem deallocated anywhere? Patch 0003: - "usedforsecurity" is a poor name IMO; make it shorter and/or PEP8-ize it ("used_for_security") - the 2-element context array thing is obscure: why not distinct "ctx" and "ctx_non_fips" members? - "this could fail, e.g. low on memory, or encodings": doesn't it lack an error-handling path, then? Patch 0004: - openssl_can_enforce_fips(): instead of calling OpenSSL in a subprocess, perhaps it's possible to expose a public flag in the hashlib module (e.g. "hashlib.HAS_FIPS")? or is this info not fetchable programmatically? - openssl_can_enforce_fips() needs to check the subprocess return code, in case another error happened - run_command_with_fips_enforcement() should use the assert_python_ok() and assert_python_failure() functions from Lib/test/script_helper.py Overall: - please put back the unconditional tests for the "usedforsecurity" argument (even when FIPS can't be enforced) - the patches lack docs (Doc/library/hashlib.rst) - please commit all this as a single commit, not 4 different ones

Patch 0002:

- cached_info->error_msg doesn't seem deallocated anywhere?

Patch 0003:

- "usedforsecurity" is a poor name IMO; make it shorter and/or PEP8-ize it ("used_for_security")
- the 2-element context array thing is obscure: why not distinct "ctx" and "ctx_non_fips" members?
- "this could fail, e.g. low on memory, or encodings": doesn't it lack an error-handling path, then?

Patch 0004:

- openssl_can_enforce_fips(): instead of calling OpenSSL in a subprocess, perhaps it's possible to expose a public flag in the hashlib module (e.g. "hashlib.HAS_FIPS")? or is this info not fetchable programmatically?
- openssl_can_enforce_fips() needs to check the subprocess return code, in case another error happened
- run_command_with_fips_enforcement() should use the assert_python_ok() and assert_python_failure() functions from Lib/test/script_helper.py

Overall:

- please put back the unconditional tests for the "usedforsecurity" argument (even when FIPS can't be enforced)
- the patches lack docs (Doc/library/hashlib.rst)
- please commit all this as a single commit, not 4 different ones

History
Date	User	Action	Args
2012-03-14 10:23:48	pitrou	set	recipients: + pitrou, gregory.p.smith, dmalcolm
2012-03-14 10:23:48	pitrou	set	messageid: <1331720628.21.0.910283648448.issue9216@psf.upfronthosting.co.za>
2012-03-14 10:23:47	pitrou	link	issue9216 messages
2012-03-14 10:23:47	pitrou	create