Skip to content

Make package FIPS compatible by marking blake2 hashing with usedforsecurity=False#295

Merged
seddonym merged 4 commits intopython-grimp:mainfrom
z4y4ts:patch-1
Jan 19, 2026
Merged

Make package FIPS compatible by marking blake2 hashing with usedforsecurity=False#295
seddonym merged 4 commits intopython-grimp:mainfrom
z4y4ts:patch-1

Conversation

@z4y4ts
Copy link
Contributor

@z4y4ts z4y4ts commented Jan 19, 2026
edited
Loading

  • Add tests for the change. In general, aim for full test coverage at the Python level. Rust tests are optional.
  • Add any appropriate documentation.
  • Add a summary of changes to the latest section at the top of CHANGELOG.rst. (If it's not there, add it.)
  • Add your name to AUTHORS.rst.
  • Run just full-check.

Why this change?

In FIPS (Federal Information Processing Standards) compliant environments, Python's hashlib restricts the use of non-FIPS-approved algorithms like BLAKE2 when they might be used for security purposes. However, grimp only uses BLAKE2 to generate safe cache filenames—not for any cryptographic or security purpose.

By explicitly marking the hash with usedforsecurity=False, we tell Python that this hash is not being used for security, allowing grimp to work correctly in FIPS mode without triggering restrictions on non-approved algorithms.

@codspeed-hq
Copy link

codspeed-hq bot commented Jan 19, 2026
edited
Loading

Merging this PR will not alter performance

✅ 26 untouched benchmarks
⏩ 23 skipped benchmarks1

Comparing z4y4ts:patch-1 (a89008d) with main (53dd737)

Open in CodSpeed

Footnotes

  1. 23 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports.

@z4y4ts z4y4ts marked this pull request as ready for review January 19, 2026 12:31
Copilot AI review requested due to automatic review settings January 19, 2026 12:31
@z4y4ts z4y4ts mentioned this pull request Jan 19, 2026
Merged
5 tasks
Copilot AI reviewed Jan 19, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR makes the grimp package compatible with FIPS (Federal Information Processing Standards) mode by explicitly marking blake2b hash usage as non-security-related. The change allows grimp to work in FIPS-compliant environments where non-approved cryptographic algorithms are restricted for security purposes.

Changes:

  • Added usedforsecurity=False parameter to blake2b hash function call used for generating cache filenames
  • Updated CHANGELOG.rst to document the FIPS compatibility improvement
  • Added contributor to AUTHORS.rst

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
src/grimp/adaptors/caching.py Added usedforsecurity=False parameter to blake2b hash call to enable FIPS compatibility
CHANGELOG.rst Added entry documenting FIPS compatibility improvement
AUTHORS.rst Added new contributor Oleksandr Zaiats

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@seddonym seddonym merged commit 977b7f0 into python-grimp:main Jan 19, 2026
23 of 24 checks passed
@seddonym
Copy link
Collaborator

seddonym commented Jan 19, 2026

Thanks for this - today I learned about usedforsecurity.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@z4y4ts @seddonym