villebro commented on PR #21014: URL: https://github.com/apache/superset/pull/21014#issuecomment-2518539668
@fred-hartman my recommendation going forward is as follows: 1. We make FIPS compliance optional by introducing configurable flags/hooks for calculating hashes that default to the current implementation (MD5), but would support replacing those with a FIPS compliant variant (SHA256). 1. In a forthcoming major version we make a breaking change, where we start defaulting to FIPS compliance being enabled, but support running in non-compliant mode. Then all current deployments would need to explicitly configure their deployments as non-FIPS compliant, ensuring they continue working as expected, but new deployments would be FIPS compliant by default. This would require a SIP, as this is a pretty significant change. Also note that I don't believe any of the core contributors are working on this, so it would need to be a community driven effort. But I'm happy to help push it forward if someone can drive the actual SIP and implementation work. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
