Discussion:
[Scons-users] Feature Request: Add Support for detecting build changes via sha256
RUHGE, RYAN L CTR USAF AFMC AFLCMC/HBAW-OL
2018-08-13 14:45:23 UTC
Permalink
Currently we have to patch SCons to use sha256 detection for detecting file changes when building to meet security requirements. Could SCons be updated to support FIPS/SELinux natively, via a command line option possibly?

//SIGNED//
Ryan L. Ruhge
Cloud Analysis Forecast
Contractor, 557th Weather Wing/SEMS
Bld 185 Rm 2420-01
402.232.0534
***@us.af.mil
Bill Deegan
2018-08-13 21:19:17 UTC
Permalink
Ryan,

Curious why SCons would be run in an SELinux environment and what changes
you'd expect to need to make it run as such?
(Are you planning to run SCons with elevated privileges (as root for
example)?)

I can't see any reason why sha256 couldn't be used instead of MD5.
However such change would need to be compatible with existing md5 based
sconsigns so it might be a bit more complicated that just changing the hash
used.

Feel free to make a pull request via github and we can review and help
guide the patches into something the project could merge.

Thanks,
Bill
SCons Project Co-Manager

On Mon, Aug 13, 2018 at 7:45 AM, RUHGE, RYAN L CTR USAF AFMC AFLCMC/HBAW-OL
Post by RUHGE, RYAN L CTR USAF AFMC AFLCMC/HBAW-OL
Currently we have to patch SCons to use sha256 detection for detecting
file changes when building to meet security requirements. Could SCons be
updated to support FIPS/SELinux natively, via a command line option
possibly?
//SIGNED//
Ryan L. Ruhge
Cloud Analysis Forecast
Contractor, 557th Weather Wing/SEMS
Bld 185 Rm 2420-01
402.232.0534
_______________________________________________
Scons-users mailing list
https://pairlist4.pair.net/mailman/listinfo/scons-users
Marc Branchaud
2018-08-14 13:54:40 UTC
Permalink
Post by Bill Deegan
Ryan,
Curious why SCons would be run in an SELinux environment and what
changes you'd expect to need to make it run as such?
(Are you planning to run SCons with elevated privileges (as root for
example)?)
I can't see any reason why sha256 couldn't be used instead of MD5.
I agree, just please don't make it the default. SHA256 is much slower
than MD5.

(And, no, SCons does *not* need a more secure hash function. MD5's
properties are perfectly suitable for SCons's purposes.)

M.
Post by Bill Deegan
However such change would need to be compatible with existing md5 based
sconsigns so it might be a bit more complicated that just changing the
hash used.
Feel free to make a pull request via github and we can review and help
guide the patches into something the project could merge.
Thanks,
Bill
SCons Project Co-Manager
On Mon, Aug 13, 2018 at 7:45 AM, RUHGE, RYAN L CTR USAF AFMC
Currently we have to patch SCons to use sha256 detection for
detecting file changes when building to meet security requirements.
Could SCons be updated to support FIPS/SELinux natively, via a
command line option possibly?____
__ __
//SIGNED//____
Ryan L. Ruhge____
Cloud Analysis Forecast____
Contractor, 557th Weather Wing/SEMS____
Bld 185 Rm 2420-01____
402.232.0534____
__ __
_______________________________________________
Scons-users mailing list
https://pairlist4.pair.net/mailman/listinfo/scons-users
<https://pairlist4.pair.net/mailman/listinfo/scons-users>
_______________________________________________
Scons-users mailing list
https://pairlist4.pair.net/mailman/listinfo/scons-users
RUHGE, RYAN L CTR USAF AFMC AFLCMC/HBAW-OL
2018-08-15 13:30:51 UTC
Permalink
Thanks for your replies.

In short, our system is configured to run in FIPS mode (Federal Information
Processing Standard). In this mode, md5 is not an allowed cryptographic
algorithm and SCons will not work at all if we don't patch it (unless we
change it to check timestamps instead). Our current patch makes SCons only
work in sha256 mode which I fully understand is not desirable. Once we get
a chance we will rework the patch to make it an option and move forward from
there to work with you all.

Thanks again,
Ryan
Post by Bill Deegan
Ryan,
Curious why SCons would be run in an SELinux environment and what
changes you'd expect to need to make it run as such?
(Are you planning to run SCons with elevated privileges (as root for
example)?)
I can't see any reason why sha256 couldn't be used instead of MD5.
I agree, just please don't make it the default. SHA256 is much slower
than MD5.

(And, no, SCons does *not* need a more secure hash function. MD5's
properties are perfectly suitable for SCons's purposes.)

M.
Post by Bill Deegan
However such change would need to be compatible with existing md5 based
sconsigns so it might be a bit more complicated that just changing the
hash used.
Feel free to make a pull request via github and we can review and help
guide the patches into something the project could merge.
Thanks,
Bill
SCons Project Co-Manager
On Mon, Aug 13, 2018 at 7:45 AM, RUHGE, RYAN L CTR USAF AFMC
AFLCMC/HBAW-OL <ryan.ruhge.ctr at us.af.mil
<https://pairlist4.pair.net/mailman/listinfo/scons-users>
Post by Bill Deegan
<mailto:ryan.ruhge.ctr at us.af.mil
Currently we have to patch SCons to use sha256 detection for
detecting file changes when building to meet security requirements.
Could SCons be updated to support FIPS/SELinux natively, via a
command line option possibly?____
__ __
//SIGNED//____
Ryan L. Ruhge____
Cloud Analysis Forecast____
Contractor, 557th Weather Wing/SEMS____
Bld 185 Rm 2420-01____
402.232.0534____
ryan.ruhge.ctr at us.af.mil
<https://pairlist4.pair.net/mailman/listinfo/scons-users>
<mailto:ryan.ruhge.ctr at us.af.mil
<https://pairlist4.pair.net/mailman/listinfo/scons-users> >____
Post by Bill Deegan
__ __
_______________________________________________
Scons-users mailing list
Scons-users at scons.org
<https://pairlist4.pair.net/mailman/listinfo/scons-users>
<mailto:Scons-users at scons.org
<https://pairlist4.pair.net/mailman/listinfo/scons-users> >
Post by Bill Deegan
https://pairlist4.pair.net/mailman/listinfo/scons-users
<https://pairlist4.pair.net/mailman/listinfo/scons-users>
_______________________________________________
Scons-users mailing list
Scons-users at scons.org
<https://pairlist4.pair.net/mailman/listinfo/scons-users>
Post by Bill Deegan
https://pairlist4.pair.net/mailman/listinfo/scons-users
//SIGNED//

Ryan L. Ruhge

Cloud Analysis Forecast

Contractor, 557th Weather Wing/SEMS

Bld 185 Rm 2420-01

402.232.0534

***@us.af.mil
Mats Wichmann
2018-08-15 14:49:06 UTC
Permalink
Post by RUHGE, RYAN L CTR USAF AFMC AFLCMC/HBAW-OL
_______________________________________________
Scons-users mailing list
https://pairlist4.pair.net/mailman/listinfo/scons-users
that seems to have been a completely empty message, did you intend to
send a followup to the discussion?

as you've found out by doing it, the change to use sha256 instead of md5
on python versions that support a "modern" hashlib, which all the ones
scons is supported on do, is quite simple. to the rest of it, we don't
yet understand your requirement.
RUHGE, RYAN L CTR USAF AFMC AFLCMC/HBAW-OL
2018-08-15 15:26:23 UTC
Permalink
Mats,

Sorry not sure what happened there I will try sending my message again.

In short, our system is configured to run in FIPS mode (Federal Information Processing Standard). In this mode, md5 is not an allowed cryptographic algorithm and SCons will not work at all if we don't patch it (unless we change it to check timestamps instead). Our current patch makes SCons only work in sha256 mode which I fully understand is not desirable. Once we get a chance we will rework the patch to make it an option and move forward from there to work with you all.

Thanks again,
Ryan


-----Original Message-----
From: Mats Wichmann <***@wichmann.us>
Sent: Wednesday, August 15, 2018 9:49 AM
To: SCons users mailing list <scons-***@scons.org>; RUHGE, RYAN L CTR USAF AFMC AFLCMC/HBAW-OL <***@us.af.mil>
Cc: SMITH, JASON C CTR USAF AFMC AFLCMC/HBAW-OL <***@us.af.mil>
Subject: [Non-DoD Source] Re: [Scons-users] Feature Request: Add Support for detecting build changes via sha256
Post by RUHGE, RYAN L CTR USAF AFMC AFLCMC/HBAW-OL
_______________________________________________
Scons-users mailing list
https://pairlist4.pair.net/mailman/listinfo/scons-users
that seems to have been a completely empty message, did you intend to send a followup to the discussion?

as you've found out by doing it, the change to use sha256 instead of md5 on python versions that support a "modern" hashlib, which all the ones scons is supported on do, is quite simple. to the rest of it, we don't yet understand your requirement.
Mats Wichmann
2018-08-15 17:26:28 UTC
Permalink
Post by RUHGE, RYAN L CTR USAF AFMC AFLCMC/HBAW-OL
Mats,
Sorry not sure what happened there I will try sending my message again.
In short, our system is configured to run in FIPS mode (Federal Information Processing Standard). In this mode, md5 is not an allowed cryptographic algorithm and SCons will not work at all if we don't patch it (unless we change it to check timestamps instead). Our current patch makes SCons only work in sha256 mode which I fully understand is not desirable. Once we get a chance we will rework the patch to make it an option and move forward from there to work with you all.
Thanks again,
Ryan
okay, so you have a policy issue that bans md5, which is *not* a
cryptographic hashing function at all, even in the case where it is not
used for any security purpose whatsoever but only as a hash to identify
file changes. That's... misguided, but we don't get to argue with
governmental standards. I'm guessing this is what applies (from Python
docs for hashlib):

"""
Constructors for hash algorithms that are always present in this module
are sha1(), sha224(), sha256(), sha384(), sha512(), blake2b(), and
blake2s(). md5() is normally available as well, though it may be missing
if you are using a rare “FIPS compliant” build of Python.
"""

So since Python itself acknowledges such a thing exists, I guess scons
should be able to operate in the presence of such a Python - that is,
fall back to some other method if md5 is missing. Note some of those are
only in new Pythons and would not be appropriate for scons yet.

Loading...