Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request: Enable FIPS compliance automatically #2590

Open
vexx32 opened this issue Feb 8, 2022 · 0 comments
Open

Request: Enable FIPS compliance automatically #2590

vexx32 opened this issue Feb 8, 2022 · 0 comments
Labels
0 - _Triaging Improvement

Comments

@vexx32
Copy link
Member

vexx32 commented Feb 8, 2022
edited
Loading

Currently to allow choco to calculate checksums on a device with FIPS compliance mode enabled, the feature useFipsCompliance must be enabled. Given that this is something that can be determined ahead of time (as I believe it's a registry setting?), is there a good reason we have a feature toggle for it and don't just enable it automatically when it's required?

History

I did a bit of digging and turned up this comment from Rob in 2016 which cited undefined "undesirable effects". Some additional digging requiring the use of the wayback machine (the link to the blog post is now dead) dug up this blog post from Microsoft which carries a clarifying comment edit made in 2017 which states:

[Note added 3 Oct 2017 to clarify an occasional misinterpretation: at no point does this blog post recommend against using FIPS mode. As stated near the end of the post, "we’re not telling customers to turn it off – our recommendation is that it’s each customer’s decision to make."]

Apart from the obvious case of "if FIPS compliance is enabled, you can't use any non-FIPS-compliant algorithms in a .NET application" which Chocolatey already handles anyway (albeit in a sometimes undesirable fashion, simply telling the user to go enable the FIPS compliance feature), there does not appear to be a significant reason to avoid running entirely in FIPS compliant systems, given we've already coded in a workaround (just one that has to be manually enabled, for some reason).

Context

Part of the reason I'm raising this issue is due to this issue being raised in the chocolatey-ansible repository: chocolatey/chocolatey-ansible#37

Given there is an ask for it to be made easier, the question was raised in discussion with @pauby and myself whether it would make more sense for choco itself to manage its FIPS modes automatically, rather than requiring explicit opt-in.

In a system with FIPS compliance enabled, you cannot use certain features of Chocolatey without enabling the FIPS feature, so my question is -- why don't we attempt to check whether the feature is enabled, and configure Chocolatey accordingly?

/cc @pauby @gep13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0 - _Triaging Improvement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@vexx32