)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"b11bb81fe0f96f570538e2badf74c902b84aa3a6","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"e0bc8f0b_cf4d6b58","updated":"2021-11-12 09:28:54.000000000","message":"I also agree it makes sense to test OpenStack in FIPS-compatible environment by default. It should cover our needs.","commit_id":"6a2ea8711aab6d75a991723ee68900c73d80d430"},{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"09a14acbd5f073c605079035ac8fa3650e2755f3","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"ad76e52c_c1ddf4eb","updated":"2021-11-11 17:04:54.000000000","message":"I have added some wording nits.  All-in-all I support this.","commit_id":"6a2ea8711aab6d75a991723ee68900c73d80d430"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"397d359a58642bd5a6357d3972b23bf15ae66521","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":3,"id":"d6c189ce_890e5f8e","updated":"2021-12-02 15:53:54.000000000","message":"\u003e Patch Set 3:\n\u003e \n\u003e Yes, in essence, at any given point in time, the slow-moving USA NIST approval process will mean that there are some improvements (security-related or otherwise) which aren\u0027t available in FIPS compliant deployments. This doesn\u0027t mean that we shouldn\u0027t attempt to make it possible for operators to deploy on such a platform (any platform will have some shortcomings after all), just that we shouldn\u0027t only test in FIPS mode and that we shouldn\u0027t expect OpenDev sysadmins to be able to assist with troubleshooting such problems in jobs running under \"FIPS mode\" as they\u0027re not equipped with the necessary familiarity and tools to do so (e.g., they may use SSH keys which are not covered by relevant NIST publications).\n\u003e \n\u003e My biggest concern with putting too much focus on FIPS standards is that they\u0027re necessarily Americentric, yet OpenStack is developed and used globally. Will we invest similar amounts of effort in GOST (ГОСТ) compliance? Or the PRC\u0027s SM9?\n\nEchoing your point here, the comments here indicate reasons that we shouldn\u0027t only support and test in FIPS compliant environments.\n\nFrom the point of view of selecting libraries, we would need to either use libraries that support both FIPS and non-FIPS (ed25519) or make it possible to select a FIPS compliant library (through configuration or otherwise).\n \nDoing work to support FIPS compliant deployments does not preclude doing work to achieve other compliance standards.  The more compliance standards we support, the more widely deployable OpenStack will be.  That said, much of the work that is done to support FIPS will likely help reach other compliance targets too.\n\nShould community goals only target concerns that are global in scope?","commit_id":"1715a1e4c177a42c05fe7ed435a084d2393e23fe"},{"author":{"_account_id":15993,"name":"Amy Marrich","display_name":"Amy Marrich (spotz)","email":"amy@demarco.com","username":"amarrich"},"change_message_id":"283199e8347b8240ff2812779cd6db9a36f5e877","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"d5484729_b3d4f35e","updated":"2022-01-05 13:29:24.000000000","message":"I think there\u0027s some agreement we should test for both FIPS and non-FIPS usage. Have we come up with some ideas on how this can be done and the paramiko concerns? \n\n@fickler have your concerns been addressed or do you have any suggestions for resolution?","commit_id":"1715a1e4c177a42c05fe7ed435a084d2393e23fe"},{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"a1ae0d7b13fe0f6f0ef3ee494fa5d2bfce222ff4","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"e0ec1337_1af4dafb","updated":"2021-11-12 17:57:38.000000000","message":"Seeing that I cannot login with my ed25519 ssh key into CI instances in fips mode, I claim that fips compliance is not a valid target for openstack.","commit_id":"1715a1e4c177a42c05fe7ed435a084d2393e23fe"},{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"92444133726dceb5aab2cba5c0d1aac7f51b202a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"c3908f54_b5cdc0eb","updated":"2022-01-06 15:39:20.000000000","message":"Some wording/typo comments in-line.  I think this continues to head in the right direction.","commit_id":"1715a1e4c177a42c05fe7ed435a084d2393e23fe"},{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"3498d9f9131e70db4701f76d935b70f42f716eaa","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"988c1412_14b0717c","updated":"2021-11-13 14:19:17.000000000","message":"Well this proposal is talking only about FIPS 140-3 afaict from the link provided, maybe the wording should become more explicit in that regard. Also I have no idea what\u0027s actually inside that document, I can only speak from my experience with actual CI nodes that were deployed. And from that it would seem like at least 40% of the current infra-roots would either have to change their SSH keys to some potentially less secure option or would not be able to debug any FIPS related CI issues properly.\n\nIn addition, there is also a general concern that using FIPS-certified libraries may be less secure, because there is a certain incentive to not publish security issues and fixes[0]. This would in particular make the move away from paramiko questionable IMO.\n\n[0] https://en.wikipedia.org/wiki/FIPS_140#Criticism","commit_id":"1715a1e4c177a42c05fe7ed435a084d2393e23fe"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"b0dc65753c8316209e4d629efe29532cf40dc7ce","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":3,"id":"889ca7c8_347545f0","in_reply_to":"d5484729_b3d4f35e","updated":"2022-01-10 22:28:51.000000000","message":"I think testing both fips and non-fips means that each project will need to add at least one CI job that tests when fips is enabled.  This job should test enough of the functionality for the project to be confident in the results.  The remaining jobs will continue to test in non-fips environments.\n\nWe\u0027re still looking into how to best move forward with a paramiko replacement, but we have found that a relatively small patch of paramiko will allow us to be fips-compatible if not fips compliant. [1]\n\nWhen we do find a replacement, if we can\u0027t find something that works for FIPS and non-FIPS, we\u0027ll be sure to allow for both cases depending on config.\n\n[1] https://review.opendev.org/c/openstack/tempest/+/822560","commit_id":"1715a1e4c177a42c05fe7ed435a084d2393e23fe"},{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"87d0c5c17ce965c7a8e619aaa054f3bbd18fb047","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"8c2cbcfb_6f416bbb","updated":"2022-01-20 15:58:14.000000000","message":"Thanks for addressing my previous comments.  I think this looks good.","commit_id":"4348fb36bde280c8b15bfb3ae636b42eb5745462"},{"author":{"_account_id":16708,"name":"Kendall Nelson","display_name":"Kendall (diablo_rojo)","email":"kennelson11@gmail.com","username":"kjnelson"},"change_message_id":"fa386b4e15e9e6ed92a0bdb9af68db29d98502b0","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"54d34d02_d51cdac6","updated":"2022-01-21 18:00:16.000000000","message":"Thanks for getting this written up!","commit_id":"4348fb36bde280c8b15bfb3ae636b42eb5745462"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"9385e7f27207a1dc75860641927454cf1e01e985","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"1382271d_4574aa36","updated":"2022-01-27 16:25:25.000000000","message":"lgtm, thanks for working on it.","commit_id":"4348fb36bde280c8b15bfb3ae636b42eb5745462"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"f6bf16b51edd5154e4ec2acf34ee8dac58068458","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"42c4cac9_9d58fb06","updated":"2022-01-28 03:14:20.000000000","message":"recheck","commit_id":"4348fb36bde280c8b15bfb3ae636b42eb5745462"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"9925da82600ffb84d59f2e2d70289e7c4a17fbc9","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"6108892a_876d82f7","updated":"2022-01-27 21:29:25.000000000","message":"recheck","commit_id":"4348fb36bde280c8b15bfb3ae636b42eb5745462"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"e831669d5c85d2845f9c3de594ef4d0fae739d4b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"c87802d9_e7327adf","updated":"2022-01-27 23:40:02.000000000","message":"we need to wait for skyline repo rename https://review.opendev.org/c/openstack/governance/+/826243","commit_id":"4348fb36bde280c8b15bfb3ae636b42eb5745462"}],"goals/proposed/fips.rst":[{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"09a14acbd5f073c605079035ac8fa3650e2755f3","unresolved":true,"context_lines":[{"line_number":15,"context_line":""},{"line_number":16,"context_line":"The main effect of turning on FIPS mode in the kernel is to set the kernel"},{"line_number":17,"context_line":"cryptographic modules to disallow certain cryptographic operations, ciphers"},{"line_number":18,"context_line":"and algorithms, or to only allow their within certain contexts.  More precise"},{"line_number":19,"context_line":"details can be obtained from the FIPS spec. [1]"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"The goal of FIPS Compatibility is ensure that OpenStack functions correctly"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3747f159_d19bb878","line":18,"range":{"start_line":18,"start_character":33,"end_line":18,"end_character":45},"updated":"2021-11-11 17:04:54.000000000","message":"their use within","commit_id":"6a2ea8711aab6d75a991723ee68900c73d80d430"},{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"09a14acbd5f073c605079035ac8fa3650e2755f3","unresolved":true,"context_lines":[{"line_number":29,"context_line":"We would also be able to identify dependencies that need to be updated to work"},{"line_number":30,"context_line":"under FIPS. [2]"},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"Moreover, there are problems that are common to all many projects, which"},{"line_number":33,"context_line":"could better be solved with a standard approach."},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"FIPS Compliance"}],"source_content_type":"text/x-rst","patch_set":2,"id":"efcfdc2a_e5877974","line":32,"range":{"start_line":32,"start_character":44,"end_line":32,"end_character":65},"updated":"2021-11-11 17:04:54.000000000","message":"to many or all projects","commit_id":"6a2ea8711aab6d75a991723ee68900c73d80d430"},{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"09a14acbd5f073c605079035ac8fa3650e2755f3","unresolved":true,"context_lines":[{"line_number":75,"context_line":"party vendors test their functionality under FIPS, as well as providing an"},{"line_number":76,"context_line":"opportunity to solve common problems with a standard approach."},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"FIPS biggest effect on OpenStack service so far has been in disallowing the"},{"line_number":79,"context_line":"use of MD5.  Under FIPS, hashlib.md5() will fail unless it is annotated as"},{"line_number":80,"context_line":"not being used in a security context using a special annotation"},{"line_number":81,"context_line":"(usedforsecurity) that was introduced in python 3.9 [5].  This annotation"}],"source_content_type":"text/x-rst","patch_set":2,"id":"4642fb7f_f83c1263","line":78,"range":{"start_line":78,"start_character":33,"end_line":78,"end_character":40},"updated":"2021-11-11 17:04:54.000000000","message":"services","commit_id":"6a2ea8711aab6d75a991723ee68900c73d80d430"},{"author":{"_account_id":4146,"name":"Clark Boylan","email":"cboylan@sapwetik.org","username":"cboylan"},"change_message_id":"0c84a0fc014d03827115aea557cab2aadab8bcb2","unresolved":true,"context_lines":[{"line_number":91,"context_line":""},{"line_number":92,"context_line":"Using this role, a whole slew of CI FIPS jobs have been proposed. [10]"},{"line_number":93,"context_line":"The vast majority of the tempest tests in these jobs currently pass (albeit"},{"line_number":94,"context_line":"with a hacked version of paramiko)."},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"Current Issues"},{"line_number":97,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":2,"id":"1847e8a0_d8e3dff8","line":94,"updated":"2021-11-09 23:53:58.000000000","message":"It might be a good idea to describe the end goal for ongoing CI/testing here as well. Ideally (imo at least) we\u0027d avoid running fips and non fips duplicated jobs for everything. And reasonable functional testing is probably sufficient for coverage?\n\nThis way it is clear for projects when they\u0027ve completed work to be reasonably compliant (enable jobs foo and bar, or swap existing jobs for existing jobs + fips, etc).","commit_id":"6a2ea8711aab6d75a991723ee68900c73d80d430"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"fde183794c67b279dbc5660bf40da499c3691d4f","unresolved":true,"context_lines":[{"line_number":91,"context_line":""},{"line_number":92,"context_line":"Using this role, a whole slew of CI FIPS jobs have been proposed. [10]"},{"line_number":93,"context_line":"The vast majority of the tempest tests in these jobs currently pass (albeit"},{"line_number":94,"context_line":"with a hacked version of paramiko)."},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"Current Issues"},{"line_number":97,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":2,"id":"8b119233_5cb70b41","line":94,"in_reply_to":"1847e8a0_d8e3dff8","updated":"2021-11-10 04:19:38.000000000","message":"Up to now, I\u0027ve consulted with each team and asked them to select the best set of tests to ensure coverage.  The result has been a mix of unit/functional/tempest tests.\n\nI do like the goal though of trying to replace existing jobs with FIPS jobs, rather than having duplicate jobs.  If it works under FIPS, then it should work without FIPS.  And if we have a job that is run without FIPS enabled, then there\u0027s a good known reason.","commit_id":"6a2ea8711aab6d75a991723ee68900c73d80d430"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"fde183794c67b279dbc5660bf40da499c3691d4f","unresolved":true,"context_lines":[{"line_number":102,"context_line":""},{"line_number":103,"context_line":"* Paramiko will need to be replaced across all the OpenStack services.  It"},{"line_number":104,"context_line":"  will be valuable to come up with a common approach."},{"line_number":105,"context_line":""},{"line_number":106,"context_line":"References"},{"line_number":107,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":108,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"9e15e156_10c0ffcc","line":105,"updated":"2021-11-10 04:19:38.000000000","message":"An additional note here.  \n\nAfter looking at how I hacked paramiko to work, its clear that the main issue is a call to md() when generating fingerprints, which are then written to log files.\nNo secret data is involved here - so this is a perfectly acceptable use of md5() under fips.\n\nThere are two ways to resolve this in paramiko - either use the usedforsecurity parameter as in here: https://github.com/vakwetu/paramiko/commit/b4beb535d7293447f25afd12051dbc45bb1e6ddc or allow the use of a different algorithm as in here: https://github.com/paramiko/paramiko/pull/1103\n\nParamiko also uses md5() in generating a key from a password while reading an encrypted PEM file that is not in the newer OpenSSH format.  We can get around that by simply making sure that relavant encrypted key files are generated by OpenSSH.\n\nThat brings up a salient point though - which is that paramiko implements a lot of its own crypto - which - without significant investment - will not be FIPS certified.\n\nSo, while we will be able to reach FIPS compatibility relatively easily with paramiko, we will need to replace paramiko across openstack for FIPS compliance, just as we would for other non-FIPS certified crypto libraries.","commit_id":"6a2ea8711aab6d75a991723ee68900c73d80d430"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"2abd34d022f7cefd23ebcf90e92f1142cbc3c085","unresolved":false,"context_lines":[{"line_number":109,"context_line":"#. FIPS Spec:"},{"line_number":110,"context_line":"   https://csrc.nist.gov/publications/detail/fips/140/3/final"},{"line_number":111,"context_line":"#. So far, packages that we have found to require FIPS updates include django, certmonger"},{"line_number":112,"context_line":"   and sphinx."},{"line_number":113,"context_line":"   https://github.com/django/django/pull/14763"},{"line_number":114,"context_line":"#. Some required setting include:"},{"line_number":115,"context_line":"   iscsi chap algorithms: https://review.opendev.org/c/openstack/puppet-tripleo/+/778081"}],"source_content_type":"text/x-rst","patch_set":2,"id":"e312405d_37d5eaa9","line":112,"updated":"2021-11-09 23:16:52.000000000","message":"I\u0027m surprised Sphinx is a runtime requirement. Where did this come up? Are people actually trying to build documentation on FIPS-compatible systems?","commit_id":"6a2ea8711aab6d75a991723ee68900c73d80d430"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"fde183794c67b279dbc5660bf40da499c3691d4f","unresolved":false,"context_lines":[{"line_number":109,"context_line":"#. FIPS Spec:"},{"line_number":110,"context_line":"   https://csrc.nist.gov/publications/detail/fips/140/3/final"},{"line_number":111,"context_line":"#. So far, packages that we have found to require FIPS updates include django, certmonger"},{"line_number":112,"context_line":"   and sphinx."},{"line_number":113,"context_line":"   https://github.com/django/django/pull/14763"},{"line_number":114,"context_line":"#. Some required setting include:"},{"line_number":115,"context_line":"   iscsi chap algorithms: https://review.opendev.org/c/openstack/puppet-tripleo/+/778081"}],"source_content_type":"text/x-rst","patch_set":2,"id":"b2122fa6_c9c7b759","line":112,"in_reply_to":"e312405d_37d5eaa9","updated":"2021-11-10 04:19:38.000000000","message":"sphinx came up in the tripleo CI jobs, because there is at least one job where the required packages are built through dlrn and containers are created.  We worked around this by specifying that these jobs would run on a non-fips enabled system.\n\nThere is a fix for this in sphinx, but its in a version much later than whats in requirements.","commit_id":"6a2ea8711aab6d75a991723ee68900c73d80d430"},{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"92444133726dceb5aab2cba5c0d1aac7f51b202a","unresolved":true,"context_lines":[{"line_number":134,"context_line":"  files.  This use of md5() is valid under FIPS and so we can patch paramiko"},{"line_number":135,"context_line":"  to either allow the usage [11] or to use a different algorithm [12]."},{"line_number":136,"context_line":""},{"line_number":137,"context_line":"* Paramiko also ses md5() in generating a key from a password while reading an"},{"line_number":138,"context_line":"  encrypted PEM file that is not in the newer OpenSSH format.  We can get around"},{"line_number":139,"context_line":"  that by simply making sure that relevant encrypted key files are generated by"},{"line_number":140,"context_line":"  OpenSSH."}],"source_content_type":"text/x-rst","patch_set":3,"id":"3c63fe9d_aa5705f9","line":137,"range":{"start_line":137,"start_character":16,"end_line":137,"end_character":19},"updated":"2022-01-06 15:39:20.000000000","message":"uses","commit_id":"1715a1e4c177a42c05fe7ed435a084d2393e23fe"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"b0dc65753c8316209e4d629efe29532cf40dc7ce","unresolved":true,"context_lines":[{"line_number":134,"context_line":"  files.  This use of md5() is valid under FIPS and so we can patch paramiko"},{"line_number":135,"context_line":"  to either allow the usage [11] or to use a different algorithm [12]."},{"line_number":136,"context_line":""},{"line_number":137,"context_line":"* Paramiko also ses md5() in generating a key from a password while reading an"},{"line_number":138,"context_line":"  encrypted PEM file that is not in the newer OpenSSH format.  We can get around"},{"line_number":139,"context_line":"  that by simply making sure that relevant encrypted key files are generated by"},{"line_number":140,"context_line":"  OpenSSH."}],"source_content_type":"text/x-rst","patch_set":3,"id":"6e90cd0c_0f9a3c95","line":137,"range":{"start_line":137,"start_character":16,"end_line":137,"end_character":19},"in_reply_to":"3c63fe9d_aa5705f9","updated":"2022-01-10 22:28:51.000000000","message":"will fix","commit_id":"1715a1e4c177a42c05fe7ed435a084d2393e23fe"},{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"92444133726dceb5aab2cba5c0d1aac7f51b202a","unresolved":true,"context_lines":[{"line_number":139,"context_line":"  that by simply making sure that relevant encrypted key files are generated by"},{"line_number":140,"context_line":"  OpenSSH."},{"line_number":141,"context_line":""},{"line_number":142,"context_line":"* Paramiko is not FIPS certified though, and so will ultimately will need to be"},{"line_number":143,"context_line":"  replaced across Openstack for compliance.  This should be co-ordinated across"},{"line_number":144,"context_line":"  projects so it can be done consistently.  A patch has been proposed to replace"},{"line_number":145,"context_line":"  paramiko with libssh instead because this library uses FIPS certified crypto."}],"source_content_type":"text/x-rst","patch_set":3,"id":"ff6c4f47_1341623a","line":142,"range":{"start_line":142,"start_character":41,"end_line":142,"end_character":67},"updated":"2022-01-06 15:39:20.000000000","message":"and so will ultimately need","commit_id":"1715a1e4c177a42c05fe7ed435a084d2393e23fe"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"b0dc65753c8316209e4d629efe29532cf40dc7ce","unresolved":true,"context_lines":[{"line_number":139,"context_line":"  that by simply making sure that relevant encrypted key files are generated by"},{"line_number":140,"context_line":"  OpenSSH."},{"line_number":141,"context_line":""},{"line_number":142,"context_line":"* Paramiko is not FIPS certified though, and so will ultimately will need to be"},{"line_number":143,"context_line":"  replaced across Openstack for compliance.  This should be co-ordinated across"},{"line_number":144,"context_line":"  projects so it can be done consistently.  A patch has been proposed to replace"},{"line_number":145,"context_line":"  paramiko with libssh instead because this library uses FIPS certified crypto."}],"source_content_type":"text/x-rst","patch_set":3,"id":"c8feb8f0_3fcc2a71","line":142,"range":{"start_line":142,"start_character":41,"end_line":142,"end_character":67},"in_reply_to":"ff6c4f47_1341623a","updated":"2022-01-10 22:28:51.000000000","message":"will fix","commit_id":"1715a1e4c177a42c05fe7ed435a084d2393e23fe"},{"author":{"_account_id":7198,"name":"Jay Bryant","email":"jungleboyj@electronicjungle.net","username":"jsbryant"},"change_message_id":"92444133726dceb5aab2cba5c0d1aac7f51b202a","unresolved":true,"context_lines":[{"line_number":142,"context_line":"* Paramiko is not FIPS certified though, and so will ultimately will need to be"},{"line_number":143,"context_line":"  replaced across Openstack for compliance.  This should be co-ordinated across"},{"line_number":144,"context_line":"  projects so it can be done consistently.  A patch has been proposed to replace"},{"line_number":145,"context_line":"  paramiko with libssh instead because this library uses FIPS certified crypto."},{"line_number":146,"context_line":"  [13]  Ultimately, though, a different library may be selected."},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"References"}],"source_content_type":"text/x-rst","patch_set":3,"id":"2b1ba528_0759b7ec","line":145,"range":{"start_line":145,"start_character":23,"end_line":145,"end_character":43},"updated":"2022-01-06 15:39:20.000000000","message":"as this","commit_id":"1715a1e4c177a42c05fe7ed435a084d2393e23fe"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"b0dc65753c8316209e4d629efe29532cf40dc7ce","unresolved":true,"context_lines":[{"line_number":142,"context_line":"* Paramiko is not FIPS certified though, and so will ultimately will need to be"},{"line_number":143,"context_line":"  replaced across Openstack for compliance.  This should be co-ordinated across"},{"line_number":144,"context_line":"  projects so it can be done consistently.  A patch has been proposed to replace"},{"line_number":145,"context_line":"  paramiko with libssh instead because this library uses FIPS certified crypto."},{"line_number":146,"context_line":"  [13]  Ultimately, though, a different library may be selected."},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"References"}],"source_content_type":"text/x-rst","patch_set":3,"id":"506a58b1_e88d0a45","line":145,"range":{"start_line":145,"start_character":23,"end_line":145,"end_character":43},"in_reply_to":"2b1ba528_0759b7ec","updated":"2022-01-10 22:28:51.000000000","message":"will fix","commit_id":"1715a1e4c177a42c05fe7ed435a084d2393e23fe"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"9385e7f27207a1dc75860641927454cf1e01e985","unresolved":true,"context_lines":[{"line_number":76,"context_line":"#. All OpenStack projects should have at least one job to test functionality"},{"line_number":77,"context_line":"   when FIPS is enabled. These tests should pass with limitations documented."},{"line_number":78,"context_line":""},{"line_number":79,"context_line":"#. Run Refstack tests in FIPS mode. These tests should pass. It is expected"},{"line_number":80,"context_line":"   that some FIPS specific configuration may be required [3], or that some"},{"line_number":81,"context_line":"   tests/features would be invalid under FIPS [4]. These configurations and"},{"line_number":82,"context_line":"   limitations should be well documented."}],"source_content_type":"text/x-rst","patch_set":5,"id":"2a1591b3_18261758","line":79,"range":{"start_line":79,"start_character":1,"end_line":79,"end_character":22},"updated":"2022-01-27 16:25:25.000000000","message":"you mean Tempest tests? there is no refstack tests and it run the tempest tests itself","commit_id":"4348fb36bde280c8b15bfb3ae636b42eb5745462"}]}