Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Set usedforsecurity=False in hashlib methods (FIPS compliance) #5790

Merged
merged 4 commits into from
Nov 17, 2023
Merged

Set usedforsecurity=False in hashlib methods (FIPS compliance) #5790

merged 4 commits into from
Nov 17, 2023

Conversation

Wauplin
Copy link
Collaborator

@Wauplin Wauplin commented Nov 14, 2023

Related to huggingface/transformers#27034 and huggingface/huggingface_hub#1782.

TL;DR: hashlib is not a secure library for cryptography-related stuff. We are only using hashlib for non-security-related purposes in diffusers so it's fine. From Python 3.9 we can set usedforsecurity=False in any hashlib method which is mandatory for companies that forbid the use of hashlib for security purposes. This PR fixes that.

Note: before merging this we need to release a new tokenizers version that would allow the newest huggingface_hub version (see huggingface/tokenizers#1385). Otherwise it might create friction to users that want to install diffusers + tokenizers at the same time.

@HuggingFaceDocBuilderDev
Copy link

HuggingFaceDocBuilderDev commented Nov 14, 2023
edited
Loading

The documentation is not available anymore as the PR was closed or merged.

sayakpaul
sayakpaul approved these changes Nov 14, 2023
View reviewed changes
Copy link
Member

@sayakpaul sayakpaul left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TIL!

Thanks!

@Wauplin
Copy link
Collaborator Author

Wauplin commented Nov 17, 2023

Thanks for the review! I'll merge now that the dependency version thingy is fixed (was mostly a problem for transformers, not diffusers but still preferred to wait).

@Wauplin Wauplin merged commit c896b84 into main Nov 17, 2023
@Wauplin Wauplin mentioned this pull request Nov 17, 2023
Closed
@kashif kashif deleted the fips-compliance-regarding-hashlib branch December 5, 2023 08:59
yoonseokjin pushed a commit to yoonseokjin/diffusers that referenced this pull request Dec 25, 2023
@Wauplin
Set usedforsecurity=False in hashlib methods (FIPS compliance) (hug…
b7f57b0 
…gingface#5790)

* Set usedforsecurity=False in hashlib methods (FIPS compliance)

* update version dependency

* bump hfh version

* bump hfh version
AmericanPresidentJimmyCarter pushed a commit to AmericanPresidentJimmyCarter/diffusers that referenced this pull request Apr 26, 2024
@Wauplin
Set usedforsecurity=False in hashlib methods (FIPS compliance) (hug…
c8ad210 
…gingface#5790)

* Set usedforsecurity=False in hashlib methods (FIPS compliance)

* update version dependency

* bump hfh version

* bump hfh version
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@sayakpaul sayakpaul

@patrickvonplaten patrickvonplaten

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Wauplin @HuggingFaceDocBuilderDev @sayakpaul