[reportlab-users] UC fips compliant

Claude Paroz claude at 2xlibre.net
Tue Sep 21 12:34:09 EDT 2021

Le 21.09.21 à 18:13, Tim Roberts a écrit :
> Satchell Julian via reportlab-users wrote:
>> SHA-1 is no longer recommended, as collision attacks on it are well 
>> known. Minimum is something in the SHA2 family, depending on strength 
>> / length requirement.
> Well, you have to balance the cost against the risk.  With one 
> exception, MD5 is not used in a security context within ReportLab.  It's 
> just a hash algorithm.  There is no "attack vector", and there are no 
> secrets being protected.  For those uses, even SHA1 is overkill, and 
> SHA2 is vast overkill.

Also note the new usedforsecurity argument added in Python 3.9:

That could help for FIPS compliance. See also the ticket and patch 
discussing the same topic for Django:



More information about the reportlab-users mailing list